(it looks like these were harvested by self-propagating
phishing messages - sent from one account to people
in the addressbook, hence apparently from friends)
So why are we still using them, decades after security experts said they
would be replaced by biometrics and smartcards ? For the same reason we still
use simple cylinder locks on our houses, despite the fact they can be picked
in 2 minutes with a paperclip (I've done it) - they are cheap, simple,
and mostly "good enough".
Problems with passwords
If simple, they can be
guessed (actual passwords used in a typical dictionary attack)
If complex, they are hard to remember, or even read (is that "1" or "l", "-" or "_" ?)
It is hard to keep track of lots of different passwords, and remember
what works where
They can be harvested by malicious programs infecting your PC, or
at an Internet Cafe or open WiFi connection
If you lose one, it will generally work for anyone, just like a doorkey
It is extremely tempting to just use the same password everywhere, but this
is a really bad idea. While your home probably has one key that opens all the
doors (unless you live in a castle that predates mass-production), and your
car key opens the trunk too, you probably don't want a single key that
works for your home, car, gym locker and safety-deposit box - especially if you use
valet parking. Or have one card that works for Interac, pay phones, and
as a hotel room key. Not just because you might lose the key - but the janitor
at the gym can now drive away your car, and the hotel concierge can
empty your bank account.
See this study by Trusteer
The TRIUMF Password Policy (2007)
prohibits using the same password at TRIUMF as offsite.
Password Reset Questions
Many websites now have reset questions, with a "secret answer" you can use to reset your password
if you forget. The problem here is that the answers can often be found on Facebook or Google. For instance,
your mother's blog shows your "mothers maiden name" and your "first pet's name", while your kids let slip
your "favourite colour". Sarah Palin's account was hacked because her reset answer appeared in public documents.
I just make up random answers and add them to my password store.
How to Change Passwords
This sounds like a no-brainer, unless you actually try to do it on
a site like eBay or Telus. Try looking under "Account" or "Profile" or
"Home". Some sites have restrictions on password length or content.
A minimum length is quite common. Some require at least one
punctuation character, others forbid certain characters. Some
have an unstated maximum length, e.g. 15 characters, and may silently
truncate passwords causing a mismatch between the browser database and
the website. Check that your new random password actually works by logging out
and in again before deleting the old one from records.
Use federated ID schemes like OpenID
or eduroam - they might let someone in to
a lot of different places if you lose a password, but at least you can
change it in just one operation. TRIUMF is trying to move in this direction.
Use a "password safe" - which works like a key safe:
You can put all your keys - luggage, bicycle, car - in the key safe
and remember just one code. Clearly, the key safe should be tougher than any of
the other locks.
"Key safes" exist for computers, too - there's one built into
Firefox for Web passwords.
You must turn on
encryption (use a "master password") otherwise it's like leaving
your keys under the doormat (and if your computer is
or hacked, posting
them on craigslist).
Some new laptops come with a fingerprint-activated password container -
just swipe your thumb to get access to your passwords.
Use common passwords for groups of similar things. For instance,
one password for online magazine subscriptions, another for eBay and PayPal,
another for email, another for computer logins. The basic question you
should ask is "Do I trust X with my password for Y ?". Quite apart from
the possibility of your losing passwords yourself, do you really
want to give some random game site operator the password to your
day-trading account or Facebook page ?
Use SSH keys or SSL certificates instead of passwords
Once set up, these are as easy to use as a password (or easier). They
are much more resistant to malicious programs, and can often be locked down
to particular addresses or commands. For instance, if you set up
a laptop to login automatically from SFU to TRIUMF, and
someone steals it, it won't
work from Mexico or Maple Ridge.
(paper is so 1980's; use Bluetooth or an SD card instead to transfer keys)
Don't go overboard
There's no point having a fiendishly long password you can never remember
- it won't help one bit against malicious software.
And beware of locking yourself out of key safes or critical systems - put the password
in sealed envelopes for yourself and others (spouse, supervisor, lawyer)
On stolen laptops:
Think your PC will never be stolen ?
According to a 2008 report
by Ponemon, 10,000 laptops are
lost or stolen each week in the US, just at airports, and others
report 10% of laptops stolen in the first year. I've lost two
computers in break-ins at home (a 6% annual risk).
Do you even wonder about all those emails
(example) telling you that "Your
mail is over quota,
login here to fix it ?
Do you think any of them might be legitimate ? Or do
you wonder just what kind of fool thinks they are ? Good news -
less than 1% of TRIUMF users have fallen for these. But I admit,
sometimes it's hard - I get legitimate mail from American Express about
my account, and people get real mail from UPS and eBay. If you think
a mail is genuine, it's best to ignore any links in the message and login
yourself by hand to check.
Similarly, if a total stranger phones up and says your card has been stolen,
can he have the number to block it, call the credit card company back - even
if the Caller ID
looks OK. (this happened to me; it was genuine, but how was I to know?)
NY Times article (Imperva study on common passwords)
xmarks.com - a Firefox add-on which lets you synchronize bookmarks
and passwords between two computers (I neither endorse nor discourage this product)