The scene:  A narrow, poorly lit inner-city alleyway.  You turn the corner and face an old wooden door entrance to a Prohibition era speakeasy.  Your hand reaches out to give an assertive, yet discreet, knock. A small porthole opens.  A grimly looking face appears and asks you for your password.  You think for a moment and respond “pass1234,” he frowns and slams the porthole closed.  “No… wait… that’s the password for the speakeasy down the street.  Try ‘QWERTY67.’  What’s that?  Oh, right, we’re on the East side of town, I need at least one special character.

Computer passwords were invented ~50 years after this scene.  They have been in play for 50 years since.  They will probably be existence for 50 years more. 

Passwords never used to be so complicated, but then again, they’ve never been so potentially dangerous.  Passwords are the keys to our private kingdoms; kingdoms that are now accessible from anywhere on the globe with an Internet connection.  These days there’s very little information we wish to keep private that is not protected by a password of our own choosing. 

In this month’s edition of Gigabytes we examine passwords, their flaws and their undeserved longevity.  Then, we will reintroduce a password management strategy that can reduce password aggravation, while improving our personal online security. 

Passwords Fail Us All

At least once per week most of us receive a random email from a friend’s personal Yahoo, Hotmail, or Gmail account containing nothing more than a web link featuring 50% off prescription drugs.  A few hours later arrives the apology message: “Please don’t click on the link, that’s how this whole mess started for me!”  The likely cause of this fiasco: a weak password. 

Perhaps you’re not as alluring of a target as Sarah Palin was in 2008 when a college student in Tennessee hacked her personal Yahoo email account.  The hacker reset Palin’s password using just her birthdate, ZIP code and information about where she met her spouse, (the security question on Palin’s email account) eventually correctly guessing ‘Wasilla high’. 

How Can It Be So Easy? 

According to Forrester, password problems and resets generally constitute between 25% and 40% of all help desk incidents.  Recent projections state that Yahoo has at least 250 million email addresses.  Let’s assume that just 1 in 10 Yahoo email users needs to reset their password an average of once/year at a cost of $10 per reset.  That’s $250 Million dollars each year.  While it’s easy to fault the mail providers for using minimal safeguards to protect their users’ identities, perhaps we, the users, are equal in blame. 

After all, when selecting your personal email provider, your bank, your search engine of choice, or your travel agent, how much emphasis did you put on that firm’s commitment to your security?  The fact is, most of us are many times more likely to complain about security measures that in anyway complicate or delay our access to our beloved online tools than we are to promote a provider who touts higher security standards.   

Cracking Passwords

While the college student from Tennessee used a password reset technique to unlock Palin’s email address, one could just as easily automate such an attack.  A hacker could simply run a dictionary attack against any username/password prompt and return after lunch to see what’s turned up.  The average time to crack a 6 character (all lowercase) password is just 10 minutes!  Incorporating uppercase characters extends that to 10 hours.  Mixing in numbers and symbols raises the average time to crack to a whopping 18 days.  Do you see why IT management pushes for those special characters and account lockouts after 5 failed attempts?

Out of the Paranoia and Into the Fire

We users were very leery about entering our personal information into the Internet, at least initially.  But, the banks and credit card companies assured us that if fraud on our account did occur, we wouldn’t have to shoulder those financial responsibilities.  We grew out of paranoia. 

Soon every company we interacted with wanted us to create a username/password.  We were lectured by the IT pros of the day to never write any passwords down.  That’s a dead giveaway!  What choice did we have but to start using the same passwords for everything?

Addicted to Passwords

Passwords are to the IT industry what oil is to the energy industry: dirty, aggravating, and increasingly expensive, albeit a lot cheaper than anything else we have so far found.  As sure as a car needs gas to move, businesses desperately need to interact with their customers online.   Need proof?  Try counting the cars through a bank drive up window versus the ATM one lane over.  Passwords, PINs, challenge questions, and the like are annoying, but our addiction to cheap authentication means that they are not going away for a long, long time.  Perhaps another 50 years?

Write ‘Em Down

There continues to be no excuse for those among us who append to their monitor a post-it note with their password on display for all who pass by.  We cannot protect those who refuse to protect themselves.  For the rest of us, an old password management strategy is re-emerging.  Develop a complex password (8+ characters, special characters, numbers, CAPs, etc...).  Write it down.  Stuff it into your wallet.  You are already good at securing pieces of paper in your wallet, right?