« First year goals for a library program | Main | Have To or Get To »
Wednesday
Oct012008

Strong passwords, weak security

DateWednesday, October 1, 2008 at 06:43AM

D7B3BE289B1020A8A1D25FFC74

That's the password to log on to our WEP encrypted wireless access in one of our district's meeting rooms. With one or two changed characters, of course.

I've always had a suspicion that the requirement for a "strong" password really creates more security problems than it solves under most circumstances. Strong passwords require a minimum number of characters (12-14), need to be a combination of numbers and upper/lower case letters, and often need to forced-changed on regular basis.

Which all leads normal people to write them down and hide them in a convenient place - top desk drawer, under the desk calendar, on a sticky note adhering to the monitor...

The rationale for strong passwords is they are harder to discover if one runs a fancy password-guessing program to crack a computer security system. These programs rapidly try all common words and names in an attempt to gain access.

So the question I have to ask is: Which is more likely: a middle school student having access to a cracking program or knowing that passwords can be found under the teacher (or parent) desk blotter?

There are compromises that involve mnemonic clues to remembering strong(er) passwords:

  • add a date to a child's or pet's name (sammy411)
  • substitute numbers or symbols for letters (r0o$evelt)
  • create an acronym (1itln - one is the loneliest number)
  • write the password down but with a change in a single character that one can actually remember

None of these are recommended by an computer security expert, I am sure. Be thankful I don't work for the CIA.

Social hacking remains the number one computer security threat, at least according to the things I read. If you call someone and say you are from so-and-so security firm and are conducting an audit and need to verify his/her password, a high percentage of people happily divulge that information.

At last count, I have 54 different programs and websites that require a password for either school or work. I have them all stored in a password-protected database on my computer. Were a person able to obtain access, horror or horrors, s/he would be able to see my frequent flier miles, credit card and bank balances (both embarrassing), and edit my school web page. There are some benefits, sigh, to living a dull life.

So how do you create passwords that are difficult to guess but easy to remember? What are the practical rules for passwords schools should establish - and teach to kids?

AuthorDoug Johnson | Comment6 Comments |
in

EmailEmail Article to Friend

Reader Comments (6)

I have an algorithm I use for all my personal accounts. I can't remember where I got this idea, it may have been over at 43folders.com. First, make up a random string of letters and numbers with some mixed lower-case/capitals. Let's say nfV640. Ok, remember it has to be RANDOM. No dates, no initials. And don't write it down! Trust me, you can memorize it. Now, whenever you need to make up a password, let's say for Amazon.com, you type in the first two letters of the site, your memorized code, then the last two letters. So for AMazON it would be amnfV640on. This way, every password is unique but easily remembered. Now as for the 14 or 16 character ones Doug is talking about, I' have no clue.

October 1, 2008 | Unregistered Commenterteacherninja

I recommend two small words with a number or special character. And of course uppercase some letter in a pattern you can remember. The number can be between the words (probably ideal) or before or after. You could probably also use a site mnumonic to split a common set of words to make a pattern. Maybe even a patteren to remember if the site mnumonic is at the start, middle or end of the phrase.

October 1, 2008 | Unregistered CommenterAlfred Thompson

2 words: fingerprint reader

October 1, 2008 | Unregistered CommenterJim Dornberg

I have found that the NameDate idea works well holding the shift key. Therefore, Jimmy1976 becomes JIMMY!(&^. Whenever possible I try to make my username w/o the shift and password w/ shift.

October 1, 2008 | Unregistered CommenterCarl Anderson

The answer has been staring everyone in the face for quite a few years now, and that's biometric authentication (what Jim Dornberg mentioned). Hasn't really seemed to catch on yet though...

Any SECURE government office uses a combination of biometric authentication (voice, retina, fingerprint, etc...) and typical text passwords and/or an entire secure solution

Great video on strong passwords by Watchguard

October 1, 2008 | Unregistered CommenterJim Keltgen

@ Ninja, Alfred and Carl,

Great tips. Thanks,

Doug

@ Jim and Jim,

Hi Jim,

I agree that biometrics has its place, especially when a person uses a single computer or two.

I don't know how this will work as the world moves toward cloud computing - where your desktop and applications can be accessed from any computer.

Thanks for the link to the video!

Doug

October 4, 2008 | Unregistered CommenterDoug Johnson

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.