Last Updated Mon Jun 21 15:09:10 2010

some thoughts on passwords

Passwords have been in the news lately: (it looks like these were harvested by self-propagating phishing messages - sent from one account to people in the addressbook, hence apparently from friends)

So why are we still using them, decades after security experts said they would be replaced by biometrics and smartcards ? For the same reason we still use simple cylinder locks on our houses, despite the fact they can be picked in 2 minutes with a paperclip (I've done it) - they are cheap, simple, and mostly "good enough".

Problems with passwords

It is extremely tempting to just use the same password everywhere, but this is a really bad idea. While your home probably has one key that opens all the doors (unless you live in a castle that predates mass-production), and your car key opens the trunk too, you probably don't want a single key that works for your home, car, gym locker and safety-deposit box - especially if you use valet parking. Or have one card that works for Interac, pay phones, and as a hotel room key. Not just because you might lose the key - but the janitor at the gym can now drive away your car, and the hotel concierge can empty your bank account.
See this study by Trusteer
The TRIUMF Password Policy (2007) prohibits using the same password at TRIUMF as offsite.

Password Reset Questions

Many websites now have reset questions, with a "secret answer" you can use to reset your password if you forget. The problem here is that the answers can often be found on Facebook or Google. For instance, your mother's blog shows your "mothers maiden name" and your "first pet's name", while your kids let slip your "favourite colour". Sarah Palin's account was hacked because her reset answer appeared in public documents. I just make up random answers and add them to my password store.

How to Change Passwords

This sounds like a no-brainer, unless you actually try to do it on a site like eBay or Telus. Try looking under "Account" or "Profile" or "Home". Some sites have restrictions on password length or content. A minimum length is quite common. Some require at least one punctuation character, others forbid certain characters. Some have an unstated maximum length, e.g. 15 characters, and may silently truncate passwords causing a mismatch between the browser database and the website. Check that your new random password actually works by logging out and in again before deleting the old one from records.


Don't go overboard

There's no point having a fiendishly long password you can never remember - it won't help one bit against malicious software. And beware of locking yourself out of key safes or critical systems - put the password in sealed envelopes for yourself and others (spouse, supervisor, lawyer)

On stolen laptops:
Think your PC will never be stolen ? According to a 2008 report by Ponemon, 10,000 laptops are lost or stolen each week in the US, just at airports, and others report 10% of laptops stolen in the first year. I've lost two computers in break-ins at home (a 6% annual risk).
Do you even wonder about all those emails (example) telling you that "Your mail is over quota, login here to fix it ?
Do you think any of them might be legitimate ? Or do you wonder just what kind of fool thinks they are ? Good news - less than 1% of TRIUMF users have fallen for these. But I admit, sometimes it's hard - I get legitimate mail from American Express about my account, and people get real mail from UPS and eBay. If you think a mail is genuine, it's best to ignore any links in the message and login yourself by hand to check. Similarly, if a total stranger phones up and says your card has been stolen, can he have the number to block it, call the credit card company back - even if the Caller ID looks OK. (this happened to me; it was genuine, but how was I to know?)


NY Times article (Imperva study on common passwords) - a Firefox add-on which lets you synchronize bookmarks and passwords between two computers (I neither endorse nor discourage this product)