July 22, 2004

Passwords and PINS

Why can’t I use something that’s easier to remember?

By Rick Dexter
Special to the Times

Forgetting a password to a computer or Web site can be a very frustrating experience, particularly if it’s something that is critical, such as an online banking site or your network login at work. Computer networks and Web sites are commonly forcing regular password changes. Often, they also require security restrictions such as a minimum password length, how many letters or numbers you need, and whether you need “special” characters in your password. With each system using different requirements, it’s becoming harder and harder to use the same simple password everywhere, which compounds the likelihood that you will forget one.

However, there is a reason for these requirements. A “strong” password is a password that is more difficult to break than a “weak” password. For example, the password “mother” is easier to remember than “DjI3*/98r.”

However, it is also much easier for hackers to guess. One of the many tools a hacker can use is a list of dictionary words and an automated software program that is able to guess passwords. The most common passwords are pet names, sports figures, spouse names, 4 or 5 digit number sequences, and the word “password.” The hacker tools know what words to try first. As companies become more concerned about computer security, it’s becoming normal to see systems forcing longer and more complex passwords that are difficult to figure out.

I see people sharing their passwords with others at work virtually everyday, not even thinking that their personal bank PIN is the same as their office password. It’s also common to see passwords taped to monitors and cubical walls, on a piece of paper in the top desk drawer, and on Rolodex cards. Each time a password is given out or written down, it greatly increases the chances of someone using the password to gain unauthorized access to computer files, accounts, or other people’s personal information. Once you give your password to someone, you have lost control over who else it may be given to. Passwords given to co-workers can be used to cover tracks in an internal security breach, or given to a competitor by a dishonest employee. Writing down or giving out a password to a computer system that contains other people’s personal information can even be a serious violation of privacy law.

For maximum password security, there are a few simple rules to remember. First, use different passwords for each computer, Web site, and software program. Use relatively long (eight to 12 character) passwords with a mixture of upper and lower case letters, at least one number, and as many other symbols as you can. Don’t give passwords out to anyone, including your boss and the IT guy at work. Insist on logging into your system for them, or if you must give your password out, change it afterward. Most importantly, change your passwords as frequently as you can possibly stand it. Some systems will force periodic password changes monthly or quarterly. Don’t rotate between the same two or three passwords or use a counter at the end of a word. Try to create passwords that look randomly generated. Don’t ever write down passwords or store them in a computer file. Treat them as carefully as you treat your credit card number. To help remember your passwords, use a software program that is specifically designed to keep track of them, such as eWallet or Norton Password Manager. These programs have data encryption to help keep your passwords more secure.

Because loose password security is so common, I expect to see a big increase in the use of physical password devices such as smart cards and bio/fingerprint scanners. In a few years, both your car and your computer may even have fingerprint locks installed as standard equipment. Until these devices become more widely available, careful password management is a key way to protect yourself and others.

Rick Dexter, founder and CEO of NDYNAMICS Network Professionals in Campbell, lives in Almaden. Dexter has over 25 years of experience designing and supporting computer networks, particularly for small businesses and startups seeking reliable and scalable IT infrastructure. If you have a computer question that you would like to have answered in a future column, e-mail it to computerconnection@ndynamics.com.