http://seattlepi.nwsource.com/business/295495_password11ww.html By CINDY SUTTER SCRIPPS HOWARD NEWS SERVICE December 11, 2006 YRUdoingthis2me?! It's a tempting way to respond to the zillionth prompt to change your password or enter a new one. Call it password fatigue. A recent survey of business professionals by security consulting firm RSA Security Inc. found that more than a third of those surveyed managed six to 15 passwords at work. Yet security can be surprisingly lax. Colorado venture capitalist Brad Feld recently wrote a blog entry entitled "What is the Password that Everyone Knows?" "Almost everyone has one," he says. A 2001 British survey of 1,200 office workers found that passwords were a sort of psychological test for workers. Nearly half of the workers fell into the family group, using their own name, nickname or the names of partners, children or pets. A third used the celebrity names, while 11 percent used words they apparently believed described themselves, such as "sexy," "stud," or "goddess." Despite more stringent workplace requirements, password sophistication has not increased much, says John Black, assistant professor of Computer Science at the University of Colorado. "Historically, people used guessable things like the name of a pet, their own name or things that are familiar like their birthday," he says. "(Now) they're picking a little better. However, (passwords) still remain one of the weakest aspects of computer security. They'll put two words together, add an exclamation point, add a digit. A lot of programs force you to do that ... They'll still do something like johnblack1! That's not that much harder to guess than the original would be." Still, the best password -- a totally random combination of numbers, letters in different cases and punctuation -- is extremely difficult to remember, especially if it must be changed frequently. And it doesn't allow the user to amuse himself with a comment on life, work or a reminder of a loved one. One Boulder resident, now retired, recalls that both he and his wife used unusual vegetables combined with personally significant numbers to make a satisfying computer entree. "I was very fond of rutabaga and kumquat," he says. "The other ones we used were both root vegetables paired in soups, parsnip and turnip." Another Boulder resident developed his password technique after he broke his wrist rollerblading. "(I) started using passwords I could type with one hand," he writes. "Ever since, I still do that, and it's a fine timesaver." A personal favorite, now retired: ytrytr5. Another local sometimes uses the geometric pattern of numbers on the phone touchpad. A triangle might be tri103, for example. Others may use passwords with fictional character names or try to satisfy the requirement for numbers by substituting a 3 for an e or a 0 for an o. A James Brown password riff might be If33lg00d, for example. Brown explains that computer hackers have factored in many such strategies. "These days hackers have massive dictionaries, all English words and common names. They will include popular fictional characters as well," he says. "The programs not only try all these passwords, they try putting a little punctuation around it." They also try all the common letter-number substitutions, he says. A better approach for an easy-to-remember password is to take the first letter from each word in an unfamiliar, but memorable, phrase. He suggests something such as: Sewage workers don't bite their fingernails! Or swdbtf! Some experts suggest using a phrase with numbers, spaces and punctuation, throwing in spelling errors such as At 3 Greta iz at socer! It's also key to manage passwords according to security needs. Feld suggests a two-tiered system. "Most people have a general password for stuff they don't care that much about, e.g. Web site logins for newspapers, magazines, other content," he says. "Then they have a more secure one for the important stuff." However, Feld points out, that leads to its own set of problems. "It's hard to remember the more secure one, especially if you have multiple ones, so they end up written down, stored in a word processing document on your computer or in your e-mail, fundamentally defeating the whole notion of security." _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Dec 11 2006 - 22:51:27 PST