Original URL: http://www.theregister.co.uk/2004/05/28/password_advice/

Would you trade your password for chocolate?

If yes, click here sharpish

By Scott Granneman

Posted in Security, 28th May 2004 12:29 GMT

OK, security pros, let's talk just amongst ourselves for just a minute. You might have seen that recent news item that reported that 70 per cent of people would willingly trade their computer password for a bar of chocolate. I don't know about you, but that left a pretty sour taste in my mouth. Even worse, 34 per cent would give away their password for nothing! WHAT ARE THESE PEOPLE THINKING?!

Clearly, we need to better educate the unwashed masses about the importance of keeping their passwords secure. Along with that, helping them come up with better passwords would be nice. I'm sure you're as sick as I am of seeing passwords like "password", "beer", or "123456".

Here's my suggestion: copy the letter below and send it to everyone that needs it. You know who they are. Don't send this part - we don't want them to know that we've been talking about them behind their backs. Just send the letter below, and then follow up with a phone call or a short conversation, just to make sure they "got it." It's not going to be a panacea, but it'll be a start.

And if one of them returns from a break wiping chocolate off their hands, you know whose password to change immediately. Copy this letter... and hand it out.



Safe and Simple Passwords

by Scott Granneman © Copyright 2004, www.SecurityFocus.com

Hi. I know you probably have a lot to do right now, but I'd appreciate just a few minutes of your time so that we can talk about something that's actually pretty important: your computer passwords.

When I say "computer passwords", by the way, I'm talking about the passwords you use to log in to your computer, and the passwords you use to log in to all the websites you visit.

Right off the bat, let me say that I understand how many passwords you probably have to remember, and how many times every day you have to type one in somewhere. I agree with you that it's annoying and tedious to have to constantly use all those passwords, and I myself have difficuly remembering all of mine. It can really be overwhelming sometimes.

Unfortunately, passwords are about all we have right now in terms of computer security. Oh, you might have heard of "biometrics", which means that some part of your body is scanned to prove your identity, like your fingerprint, or your eyes, or your voice. Biometrics are available now, but they're still kind of expensive, and they don't always work right, and a lot of people have some very valid objections to the technology in terms of privacy, so it's going to be a while before biometrics are widespread.

You might also have seen those little cards that some people have, with numbers that change every minute. The idea is that the user enters that number and a PIN, and then they can log in where they need to. As you can imagine, that solution costs a lot of money, and it would be impractical to have a separate card for every single Web site that you wanted to visit. There are other methods as well, but they all have similar issues: they're too expensive right now, or not ready for prime time, or still way too complicated. So, we're stuck with passwords for the time being.

Since passwords are what we have to use, we need to be really careful with them. It's important that you keep them as secret as possible. Think of it this way: you probably keep your car keys pretty safe. If a stranger walked up to you on the street and asked for your car keys, you wouldn't let him have them, since you don't know him and therefore have no idea what he might do with your car. Even if friends ask for your car keys, you're probably unwilling to just hand them over, unless it's an absolute emergency.

Car keys are one thing, but I'll bet you do the same with your house keys. And your passport. And your driver's license. Your credit card numbers. Your bank account numbers. Your social security number. And so on. We've all learned to keep certain things safe because we know that in the wrong hands, they can lead to trouble.

Well, the same thing is true for your passwords. The more people that know them, the more likely that something bad is going to happen. In fact, the easier it is for people to guess them, the more likely it is that something bad is going to happen. So you need to pick good passwords (more on that in just a minute) and you need to keep them as secret as possible.

Now, I know that you might be thinking: "So what if someone got one of my passwords? I have nothing to hide." The problem isn't necessarily that someone will look at your stuff on your computer. The problem is that some hackers use your password to take control of your computer without your realizing it. They then use your computer to do some really bad stuff, like attack government computers, or traffic in child porn, or send thousands of spam email messages. Since it's your computer that is doing these things, you're in for a lot of hassle when the authorities come calling. Your computer can get impounded as evidence, your house can get torn apart in a search, and you can get charged with a crime. I know you're innocent, and you know you're innocent, but you'll still have to deal with the police, and the courts, and lawyers, and it will cost you a lot in terms of time, money, and energy. It's not just an idle threat - it has happened a lot more than you may realize.

So keep your password safe. Don't write it down, and don't put it on a sticky note and hide it on the bottom of your keyboard (everyone knows that trick!). Never tell anyone your password unless you are absolutely positive that they are authorized to get it. Ask for ID, and be sure you understand exactly why they need your password. Ask to speak to a supervisor or manager to clarify that the individual asking for your password really needs it. Treat your password like you treat your car keys, or your passport, or your driver's license.

Finally, here's some advice on choosing a password. I'm going to give you a couple of rules, and they may seem scary, but don't freak out. I'm going to let you know a secret that will help you apply those rules in a logical way that you can remember ... trust me!

Here's the first rule: a good password is at least eight characters long. Even longer is better, but eight characters is enough.

The second rule: you should use a mix of at least three of these four things: small letters, capital letters, numbers, and symbols. If you can use all four, great, but at least use three of them.

The third rule: don't use easy-to-guess or easy-to-crack passwords. What's an easy-to-guess password? Your name, your significant other's name, your pet's name, your kids' names, your car, your home address, your employer, your favorite singer, and so on. As for easy-to-crack passwords, you need to know that there is software available called "password crackers" that basically try to guess and guess and guess passwords until they get the right answer. That software makes mincemeat of passwords that are all numbers, so never use that, but it also easily cracks passwords that are based on dictionary words, even if they're words from other languages. (If you'd like to see some examples of bad passwords that you should always avoid, check out this article: http://www.pclinuxonline.com/article.php?sid=8823).

And the final rule: good passwords are easy to remember and hard to guess. "password" is really easy to remember, but it's also super easy to guess. "^R49lk#an5#" is really hard to guess, but I can't remember it, and I just typed it out. So how do we come up with a good password that (a) has at least eight characters in it, (b) uses a mix of small and capital letters, numbers, and symbols, (c) isn't easy-to-guess or easy-to-crack, and (d) is easy to remember? Here's how.

Everyone has a favorite song or poem. For instance, let's say that your favorite song is Led Zeppelin's "Stairway to Heaven". The first line of that song is "There's a lady who's sure all that glitters is gold." Take the first letter of each word, and you get "Talwsatgig". That's a good start for a password! It's ten characters long, and it's easy to remember, as long as you know the first line of the song. However, it only uses small and captial letters, so let's add more.

When you were a kid, you may have played around with a simple code, in which a=1 and b=2, all the way to z=26. Here's another one that a lot of people sometimes used: a=@, b=6, e=3, i=1 (or !), l=1 (or l=!), o=0, s=5 (or s=$), t=+, and so on. Basically, you match the letters to a number or symbol that they sort of resemble. You can do this however you'd like, using whatever makes the most sense to you. If we do that, and then apply these substitutions to the password we've been developing, we get this: "Ta1w5atg1g". Now that is a great password!

Is that too hard? Then keep the mix of upper and lowercase letters, and tack a year on the end. Better yet, reverse the digits of the year. So your password might now be "Talwsatgig86", which is still very good. The important thing is, try to get a mix.

I know you may be thinking, "There is no way that I will be able to remember that!" But really, it's not hard. You know the song, and you'll be able to remember the simple letter/number subsitution, or the year. Just sing it to yourself (not out loud!), and type. After you do it a couple of times, it will just fly off your fingers, I guarantee.

Here's one final tip: as I said above, you should never write your password down. But you can do this, if you'd like something to help jog your memory. Go on the Internet and find a Web site that lists Led Zep lyrics. Print out the words to "Stairway to Heaven" and post them on the wall next to your computer. You'll have a reminder available all the time. If someone sees your lyrics, they'll just think you're a fan, not that your password is coded right there in front of them (unless they read this little piece, that is!).

Thanks for reading this. I hope it helps, and I hope you understand a little more why computer people want their friends, family members, and co-workers to safeguard their passwords. If you have any questions, ask the person who gave you this letter - I'm sure they'll be glad to help. Good luck, and be safe!

Copyright © 2004, 0

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Brits are crap at password security
Passwords are passport to theft
Is password-lending a cybercrime?