Sunday, February 08, 2004

By Diana Nelson Jones, Pittsburgh Post-Gazette

Larry Rogers was killing time at the mall not long ago, hovering near a cluster of Internet kiosks while waiting for his wife. When she sidled up beside him, asking, "Ready to go?" he said, very loudly, "Not yet, I want to watch a few more people so I can steal their passwords."

Not surprisingly, one of the computer users spun around in alarm to look at him.

Rogers considered it both a joke and a warning -- that in our worries about personal security, home security and homeland security, we are practically giving tech burglars the equivalent of our house keys.

"If I can watch your hands on the keyboard, I can get your password, and I can read your log-on," said Rogers, who's a computer security expert on the technical staff at the CERT Coordination Center at Carnegie Mellon's Software Engineering Institute.

"I think people are trying to pick more clever passwords," he said, but what's the point if you sign on in a public place? "We are so trusting as a society."

And we are amassing passwords and PINs. They are supposed to be security measures, but the more we collect, the less secure we may be. When we have to remember this password for the burglar alarm and that password for e-mail, a code to get cell-phone messages, another to shop online and another for online banking, it is tempting to choose one password for everything. Being a sentimental species, we tend to go for the warm and fuzzy, not something like omg8snaihntw!

But savvy computer users go for the cryptic. If you type "password" in an Internet search field, site after site advises the same things: Passwords should not be words in any dictionary because speedy-scan dictionary software is a tool of hackers. They should not be words that give you away, such as the name of your street, pet, favorite sports team or your mother's maiden name.

They should be indecipherable to anyone but you and include a number or punctuation mark, or both, and the longer the better. The example omg8snaihntw! is an acronym for "Oh my God, eight's Saturday night and I have nothing to wear!" A cryptic password of this type could be safer as your only password than the name of the dog you're always yelling at.

Rogers said he had 10 to 15 passwords, including PINs. "I have for a long time had a scheme, so that instead of having to remember 10 distinct passwords, I have a structure and variations on it."

Still, you're not automatically hack-proof with a nonsensical-looking password.

"If all the people at banks have very clever passwords, if it takes a year, a wily intruder may spend the time," Rogers said. "It depends on the size of the prize."

The strongest advice for the security of your passwords is this: Never write them down or let anyone see you typing them. But hold on: You die and your survivors need to get into your password-protected documents to settle your estate. If you chose passwords to confound hackers, your survivors could be confounded as well.

Maybe the better advice is: Write down your passwords and put the list in a safe deposit box. You might need to refer to it yourself.

Password overload is so common that e-commerce companies often allow us to come up with a new password for every one we forget. Companies have sprung up to help us hack into our own files. These companies also have helped estate executors, lawyers, crime-solvers and employers who suspect an employee of data theft.

Shawn Madsen, of AccessData in Orem, Utah, a password-cracking software company, said one of his clients was a family in Australia. A man had left his will on a Microsoft Word document. From his computer, the man could look out his window onto a park. The family finally cracked the password after trying everything obvious, including the man's dog's name, before looking out the window and trying the name of the park.

With password-breakers, he said, "The risks are that you don't know [the motive] when someone calls and says, 'Hey, I need you to come over and crack this machine's password.' "

In a Psychology Today article, British psychologist Helen Petrie, a professor of human/computer interaction at City University in London, said passwords, which often are chosen on the spur of the moment, such as when we go online to buy something, say more about us than we may think.

She categorized password users into four groups, based on a survey of 1,200 Britons funded by CentralNic, an Internet domain-name company: the family oriented, the fan, the fantasists and the cryptics.

The largest group used a nickname, the name of a child, partner or pet, or a birth date. One-third of the participants chose passwords of celebrities or sports teams. Petrie said the fans were generally young and have overused "Madonna" and "Homer Simpson." Eleven percent were wrapped in fantasy, choosing such words as "sexy," "stud" and "goddess." Of these, 37 percent were female. The most security conscious were the smallest group, the cryptics, at 10 percent.

Because most of our choices make us vulnerable, passwords may well become passe. But innovations such as fingerprints, retina scans, pictorial sequences and color combinations bear their own risks.

Rogers said he had heard reports that people had "made molds of fingerprints using Jello and have used them successfully."

Because of security worries, some people are turning to encryption software to protect their personal data, Rogers said. Encrypting is a way to "mangle and obfuscate." Pig Latin is an example of encrypting, but isn't much used because it's so easy to decipher.

But imagine putting cheese through a cheese grater and then having to put the shreds back together so that it is the same block of cheese as when you started, he said. On that scale, decrypting would be too hard, unless the prize is big enough; and if that scares you, keep in mind that the computing power it takes to decrypt secrets is growing apace with the power to encrypt them.

Manuel Blum, a computer science professor at Carnegie Mellon University, said he was two or three years away from completing a system that substitutes numbers for letters but not the same number for a particular letter. If your name has two a's in it, one might be coded as a 5 and the other might be coded as a 3. The correct numbers are based on a mapping system unique to each person but in a format that is memorizable, such as the multiplication table, he said.

His target audience is the same target audience of the multiplication table -- third-graders.

E-mail this story   Print this story