Ventura County Computers masthead

A Password System

Passwords cause more problems than any other security item. We have been told that we need to have impossible to remember passwords, with nothing repeating, nothing in a dictionary -- in short, nothing that a human can remember. So we tend to use one simple password for everything and hope for the best.

Unfortunately, that isn't too smart and it isn't necessary, either.

In the wake of the password hacking that took place with the Sony Playstation site a couple of months ago, there is a lot of good, new information about passwords as well as some new insights into how to protect yourself.

But let's start with the problem. The hackers of the Sony site published 120,000 usernames and passwords on the Internet. Most of the usernames were email accounts. Most of the users used the same email password as they did for Sony, so it was simple for other hackers to log into thousands of email accounts, change the passwords so the legitimate users couldn't get back in, and send out an email to everyone in the address book saying they'd been attacked while traveling and could you send some money to help me out? The hackers then made note of all the emails from financial institutions in case you used the same password for banking as you did in email and then deleted all saved emails and contacts so that when the legitimate owners of the email account got back in they wouldn't be able to contact everyone and say the messages had been fraudulent.

Using the same password for email, banking and anything else just isn't smart. There are hacker groups threatening to hack PayPal and dozens of other sites. Unless you are willing to risk having your email account compromised and your bank account attacked, you really need to get different passwords.

But don't despair. It doesn't have to be all that painful. All those cookbooks about how you have to have impossible to remember passwords are wrong. They are a hold-over from the cryptographic mentality. Cryptographers generally have a block of text to work on. In that environment, it makes hacking the text much easier if the text isn't random. But with computer passwords, there is no block of text. There is only, yes you got the password, or no you didn't. You don't know if your failed attempt was too long, too short or anything else. You only know it was wrong.

Steve Gibson, in his excellent analysis of the requirements of password complexity posed this question: Which of these two passwords is more difficult for a hacker to break:



Of course, as soon as you ask the question, everyone knows it's the D0g password, but why? Because it's longer and has lowercase, uppercase, number and special characters. That's it. Cryptographers will scream that it also has far less "entropy" and is less secure. But the way computer passwords have to be hacked, entropy really doesn't enter into the equation.

Armed with this insight, it is child's play to create your own secure password system. First, recognize that length is the most important element in a good password. Almost all of us have had to learn a short phrase that we will never forget. For the purposes of this discussion, I'll use Shakespeare's, "To be or not to be," but something more obscure would be better. A line from a play you performed in third grade would be perfect.

First thing we need to do for our password is to make sure we have all the elements: upper, lower, number, special. So, for example, "To be or not 2 be." would work as the core password. That's 18 characters that no hacker is ever going to guess. For all sites where you don't really care if someone gets your password, use that. This is what would have been stolen from Sony's Playstation site.

Now you need a variation on a theme to substitute for your important accounts. "To bank or not 2 bank." is too obvious, but you get the idea. As long as the substitutions are not too obvious, no one is going to figure out what your substitution pattern is if they do get ahold of one password. But it doesn't take too much thought to create a pattern you can use for your banks, email accounts, credit cards and other important sites. It's just one basic password, which should be a phrase you'll never, ever forget, and then a pattern variation you can remember for the important sites.

Yes, this takes some thinking and planning. But it beats the heck out of bailing when some hacker gets ahold of all your sites and passwords. And you only have to do it once. Once in place the system runs itself.