[ISN] Most play poorly at the password game

From: InfoSec News (alerts@private)
Date: Mon Dec 11 2006 - 22:37:18 PST


http://seattlepi.nwsource.com/business/295495_password11ww.html

By CINDY SUTTER
SCRIPPS HOWARD NEWS SERVICE
December 11, 2006

YRUdoingthis2me?!

It's a tempting way to respond to the zillionth prompt to change your 
password or enter a new one.

Call it password fatigue. A recent survey of business professionals by 
security consulting firm RSA Security Inc. found that more than a third 
of those surveyed managed six to 15 passwords at work.

Yet security can be surprisingly lax. Colorado venture capitalist Brad 
Feld recently wrote a blog entry entitled "What is the Password that 
Everyone Knows?"

"Almost everyone has one," he says.

A 2001 British survey of 1,200 office workers found that passwords were 
a sort of psychological test for workers. Nearly half of the workers 
fell into the family group, using their own name, nickname or the names 
of partners, children or pets. A third used the celebrity names, while 
11 percent used words they apparently believed described themselves, 
such as "sexy," "stud," or "goddess."

Despite more stringent workplace requirements, password sophistication 
has not increased much, says John Black, assistant professor of Computer 
Science at the University of Colorado.

"Historically, people used guessable things like the name of a pet, 
their own name or things that are familiar like their birthday," he 
says. "(Now) they're picking a little better. However, (passwords) still 
remain one of the weakest aspects of computer security. They'll put two 
words together, add an exclamation point, add a digit. A lot of programs 
force you to do that ... They'll still do something like johnblack1! 
That's not that much harder to guess than the original would be."

Still, the best password -- a totally random combination of numbers, 
letters in different cases and punctuation -- is extremely difficult to 
remember, especially if it must be changed frequently. And it doesn't 
allow the user to amuse himself with a comment on life, work or a 
reminder of a loved one.

One Boulder resident, now retired, recalls that both he and his wife 
used unusual vegetables combined with personally significant numbers to 
make a satisfying computer entree.

"I was very fond of rutabaga and kumquat," he says. "The other ones we 
used were both root vegetables paired in soups, parsnip and turnip."

Another Boulder resident developed his password technique after he broke 
his wrist rollerblading.

"(I) started using passwords I could type with one hand," he writes. 
"Ever since, I still do that, and it's a fine timesaver."

A personal favorite, now retired: ytrytr5.

Another local sometimes uses the geometric pattern of numbers on the 
phone touchpad. A triangle might be tri103, for example.

Others may use passwords with fictional character names or try to 
satisfy the requirement for numbers by substituting a 3 for an e or a 0 
for an o. A James Brown password riff might be If33lg00d, for example.

Brown explains that computer hackers have factored in many such 
strategies.

"These days hackers have massive dictionaries, all English words and 
common names. They will include popular fictional characters as well," 
he says. "The programs not only try all these passwords, they try 
putting a little punctuation around it."

They also try all the common letter-number substitutions, he says.

A better approach for an easy-to-remember password is to take the first 
letter from each word in an unfamiliar, but memorable, phrase.

He suggests something such as: Sewage workers don't bite their 
fingernails! Or swdbtf!

Some experts suggest using a phrase with numbers, spaces and 
punctuation, throwing in spelling errors such as At 3 Greta iz at socer!

It's also key to manage passwords according to security needs. Feld 
suggests a two-tiered system.

"Most people have a general password for stuff they don't care that much 
about, e.g. Web site logins for newspapers, magazines, other content," 
he says. "Then they have a more secure one for the important stuff."

However, Feld points out, that leads to its own set of problems.

"It's hard to remember the more secure one, especially if you have 
multiple ones, so they end up written down, stored in a word processing 
document on your computer or in your e-mail, fundamentally defeating the 
whole notion of security."


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Dec 11 2006 - 22:51:27 PST