Technobuddy

By Jim the Geek

April 24, 2007 10:39 AM | Link to this

Bill I’m surprised the list doesn’t include “no password at all” or “blank”. I encounter those far more frequently than anything on the list.

Another note that goes hand-in-hand with this topic: on a shared computer, such as many families use, the parental account MUST have a strong password which is NEVER given to the kids, and the subordinate accounts must be set up with restricted privileges. Otherwise, there’s no security protection provided.

By MP

April 24, 2007 10:48 AM | Link to this

One problem is with so many passwords these days (bank, email, network, AJC, etc) they all have different requirements and make you change them too often. What if we had to have keys for every room in our house and no two keys could be the same?

You need a system that allows you to change the password but be able to remember the latest change. I combo of numbers and letters and don’t forget Upper Case/Lowe Case.

People who use password or 123456 or nothing deserve what happens to them.

By AbbydonKrafts

April 24, 2007 10:57 AM | Link to this

I’ve used the same 3 passwords for over 8 years, plus 2 new ones in recent times, with no problems whatsoever. I use them in over 50 different places. They range from a random mix of letters to a longer mix of numbers and letters.

However, a technobuddy clued me into a good idea that will let me use ONE password, yet all be different: Hashing. Instead of directly plugging a password into a site, use a hashing utility on the computer to merge the password and site address and compute a hash. Then, enter however much of it the site will accept (ex: 8 characters). These “passwords” will be so insanely random and unique for every site that it would be virtually impossible to crack.

I plan on developing a quick tool just for that purpose.

By Danny O

April 24, 2007 11:35 AM | Link to this

Uhh, how was this list created? Because site managers aren’t supposed to be able to see passwords. And no one should be asking people to give out their passwords, even to a supposedly confidential survey.

By technophobic

April 24, 2007 11:44 AM | Link to this

Maybe you techno-savvy guys could answer this question I’ve had. I belong to an organization which requires that we change our passwords every three months. While the information available on the website is sensitive, it’s not critical.

Here is my issue: This company keeps track of past passwords and each time they require a new password, it will reject any password that was used before. So far I think I’ve had to give them 8 different passwords.

What bothers me is that if they have a program that knows my name and has all these different passwords connected to it, am I at a higher risk if their servers were ever compromised?

THANKS!

By fer

April 24, 2007 1:12 PM | Link to this

The problem w/ the example you give of a good password is that it is so hard to remember. I understand the need for a mixture of letters, numerals, and even symbols, but I’ve got to have some kind of crutch to remember one like that.

By Bill

April 24, 2007 2:21 PM | Link to this

Hi fer, here’s an easy way to remember a password like that.

Think of some song you know, poem you’ve memorized, whatever. Lets say that it’s Rudolph the Red Nosed Reindeer - one heck of a fine piece of music. It’s a song that is easy to remember.

So take the first letters of the words to some parts of the song … Rudolph the Red Nose Reindeer had a very shiny nose.

So that’s RTRNRHAVSN … that’s a good start and easy, right?

Then to add numbers, maybe take a phone number you had years ago, or a street address from way back that you remember. Lets say you lived in a house, long ago, at 2198 Stephen Avenue.

So take the first and last digit and add them to the password:

2RTRNRHAVSN8

It’s easy to remember all this since you know the song and the street address.

Grin, in what is probably an over-abundance of caution - remember this is an example - pick your own song, come up with your own numbers.

By nutup

April 24, 2007 2:22 PM | Link to this

One more user name and password and I will nut up.

By Borat

April 24, 2007 2:28 PM | Link to this

Pamela38DDD

By Lifer

April 24, 2007 2:31 PM | Link to this

I take historic dates and places to create passwords. For instance, I might use NewY.09012001 because it has upper/lowercase letters, symbols, and numbers. Plus, it’s something that I can easily recall. I might also use vacation destinations and dates.

By hunter

April 24, 2007 3:39 PM | Link to this

Who Cares?? Give me a break. Is this really news? I heard it on Fox News this morning, noticed it on CNN as I was trying to quickly skip past that channel and now on the same paper that wants to make a story about Mike Vick when there simply is no story? You guys suck!

By MrLiberty

April 24, 2007 4:10 PM | Link to this

In attempting to do business with ATT once I was force to set up an username and password with them. I attempted to use my typical ones (not that common I might add), and kept getting rejected (“username already taken”).

Finally in frustration I typed in “ATTSUCKSASS” as a username and was told “username already taken.” Looks like they p** off more than just me.

By EW

April 24, 2007 4:16 PM | Link to this

Mine must be a hard to hack, I can never rememeber them half the time myself they’re so long and confusing.

By Bill

April 24, 2007 4:50 PM | Link to this

Great story Mr. Liberty - made me smile.

By mullinator

April 24, 2007 5:28 PM | Link to this

technophobic, it’s not as bad as you think. They don’t store your password like you’re thinking. It’s only stored in an encrypted format that can’t be used to “see” the original. When you login, the text you enter with your login is also encrypted. “Authentication” is done by comparing both encrypted values which will only match if they were generated with the same password. Hope that helps!

By fer

April 24, 2007 6:24 PM | Link to this

Good idea, Bill. My bank PIN is my grandfather’s phone number from when I was a child, so I could build on that.

By Keith

April 25, 2007 8:14 AM | Link to this

Sorry this is so long :(

Password are one of my favorite subjects: I spend a large amount of my time taming the nightmares of password management in large companies.

Not all programs that store your password do it in a safe manner. The original Unix password file /etc/.passwd held the password in plain text; CC:Mail was the same way as was my old WildCat BBS software and countless other programs. When you check your email from home most likely you are transmitting your email password across the internet in plain text. NEVER use the same password for email as you use for anything else. I have picked up hundreds of thousands of email passwords during security audits by simply monitoring the email authentication traffic.

Most modern enterprise applications use some form of encryption for their passwords. For instance my company uses an encryption method that cannot be reversed; Our own software doesn’t even know what your password is and our software never stores your password and never sends it across the network. When you set your password with our software your machine performs a mathmatical process which creates a Public and Private Key pair. The math process uses the password as one of several variables in the key creation process. The resulting key pairs do not contain your password but messages encrypted with your public key can only be decrypted with the private key. Once these keys are generated they are both stored in a secure database on the server.

We also store as many old keypairs as the password history policy requires. By default we remember the 8 most recent passwords. TechnoPhobic; I don’t know about your particular software but you are probably not at greater risk because of the password history as long as you maintain secure passwords.

However I have seen plenty of homegrown applications that maintain password tables in plain text as fields in their database. There is no excuse for this type of lazy programming but I see it over and over again. A lot of these programs make it difficult to syncronize passwords from an external source or to delegate authentication to an external source.

Programmers would be wise to modularize authentication and allow administrators to point it to any open standard LDAP infrastructure. Most companies have hundreds, even thousands of applications running and almost every company has some form of LDAP capable network. I’ve been in some that have over 100 programs that maintain their own seperate password database;

Having a SINGLE secure Password store is a lot more secure than having 50 different systems with seperate password databases. most people tend to use the same password on all of their applications anyway (That’s a bad idea but most people do it anyway) chances are that not all of those application treat the password with equal levels of protection.

Also; We all probably have registrations on hundreds of websites around. In most cases we don’t have any real access to anything important (like the AJC website, I really don’t care if anyone steals my account, I’ll just create a new one…) so I use a standard password for those sites UNLESS I have to store personal information of any kind.

Another tip I haven’t seen mentioned is the substitution of certain numbers or symbols for letters.

f0r 1nst@nc3 y0u c0uld r3pl@c3 th3 v0w3ls w1th 0th3r ch@r@ct3rs.

By Bill

April 25, 2007 8:21 AM | Link to this

Thanks Keith, a really fine post that offers great advice and yet it’s easy to understand.