Why pesky computer passwords could be passé

by  Alan Zisman (c) 2010 First published in Business in Vancouver March 23 - 29, 2010 issue #1065

High Tech Office column

Is your password “123456?” How about “password?”

In December, security firm iMPERVA analyzed 32 million passwords stolen from the RockYou service. The hackers had kindly posted a list of all the passwords they had been able to steal. The most common? “123456,” followed by “12345,” “123456789” and “password.” Others in the top 10 included “iloveyou,” “princess” and “abc123.” Common children’s names: “Nicole,” “Daniel,” “Jessica,” and “Ashley” and the not very tricky “654321” and “qwerty” were among the top 20.

If you’re using one of those or other easily guessable passwords – and particularly if you’re using the same password for everything, you’re setting yourself up for theft from bank accounts, identity theft or allowing your personal computer and business network to host spambots and phishing scams.

Vaclav Vincalek of Vancouver’s network security consultants Pacific Coast Information Systems says only part of the problem is end-users who feel overwhelmed with being asked to create and manage multiple passwords. He points out that banks use simple four-digit PIN numbers, suggesting those are the most complex that we can easily remember.

Instead, IT departments – trying to eliminate simple, easily guessed passwords – create complex requirements: perhaps demanding a mix of uppercase and lowercase characters plus numbers and including special characters. And by the way, be prepared to change your password every 90 days.

No wonder many of us write our password onto a sticky note and paste it onto our monitor.

While we too often leave our passwords in plain view, the organizations charged with storing them too often don’t do much better. Despite claiming “Our users” privacy and data security have always been a priority for RockYou, the service stored users’ passwords as readable text in a database, vulnerable to attack.

Most websites and networks let users repeatedly try to enter their password, which encourages guessing by outsiders. And if you don’t remember your password on a service you rarely use?

Many let you enter your e-mail address, following up with a message to help. That’s not a bad thing if the e-mail leads you to a secure web page that allows you to log in and then has you enter a new password.

But too often, those e-mails simply type out your password – in plain text, easy for you to read, but also easy for anyone else to read. That also suggests that, like RockYou, they’re storing your passwords in an unencrypted text file, where they can be read by anyone with access – legitimate or not – to their database.

Vincalek thinks it’s time to move beyond passwords entirely. No, not to biometrics like fingerprint scanners.

Instead, he says that while it’s hard for most of us to remember complex passwords, it’s easy for people to remember patterns.

Maybe, when setting up an account, we could pick something we’re familiar with: musical instruments, sports- team logos, types of flowers. Then pick a pattern of those objects: piano, guitar, violin, drum, drum, clarinet. On log-in, you could be presented with a grid of randomly-arranged pictures of those objects. Click the right ones in the right order and you’re logged in.
Vincalek realizes that our networks won’t quickly move to anything like this. In the meantime, he suggests making shapes with letters on your keyboard and combining them with the domain name.

Try an inverted v-shape starting on the letter “z”. Alternate upper and lowercase. Add “yahoo” and you’ve got a password for Yahoo Mail. Need to change it? Move it over one character, starting with the “x.” Hard to guess, easy to type.

No, neither of those are my passwords. But neither are “princess,” “iloveyou” or “123456789.”

Keep ’em guessing – and don’t use sticky notes!