Passwords multiply as users' rage rises

Dan Thanh Dang, Sun Staff, 8 Sep 2003

Dave Murphy, you would think, should know better.

He is an information technology consultant - someone who counsels the rest of us on how to protect our computer, by making it difficult for someone to decipher passwords, for instance.

Yet he keeps his four-digit bank card number in his wallet, and his various passwords are stored on a handheld computer that is always with him. At least, he says, the password database is encrypted and the note in his wallet is written in Chinese digits in Korean script.

"Without my little crib sheet, I can't remember all that stuff," said Murphy, of Ellicott City, who counts 279 different codes for the voice mail, computer and security systems, e-mail and Web sites in his life. "Who can memorize all that?"

In the digital age, people are on the verge of "password rage," frustrated with the abundance of codes they are required to memorize to secure their various networked devices. And the pressure to update the numerical and alphabetical soup keeps growing as threats of intrusions, cyberterrorism and identity theft increase.

At many workplaces, computers prompt users to change their passwords every few months. Password guidelines for the Department of Defense run 30 pages, and accountants Ernst & Young offer a cybersecurity class to clients to demonstrate how easy it is to break into a system.

Passwords are essentially combination locks: The more complex the password, the tougher it is to crack. Yet security specialists describe groan-out-loud encounters with people who guilelessly use part of their Social Security number, their telephone number, a family name, a pet name or a street name as a password. Others use easily cracked sequential numbers such as "1234" or just the word "password." Others write passwords on paper and stick them to their computers. Worse still, consultants say, are those who rely on a single password for everything.

Security experts, however, sympathize with the exasperation over personal identification numbers and passwords.

"C'mon. If you follow all the rules, it means that you're not allowed to use anything that you can remotely remember," says Chey Cobb, a former federal intelligence agency network specialist and author of Network Security for Dummies.

"I had a computer-generated password for one of the top-secret systems I used to work on," Cobb says. "It was actually four or five separate words that didn't form a sentence, or have any relationship between them at all. It was a good password. But all I could ever remember was that the middle word was 'skunk.'

"Of course, I forgot it," Cobb says. "The next one I got, I created a jingle to remember it. I say just write it down and hide it. But don't put it under your keyboard."

It's not that the brain lacks the power to store great amounts of information. It's just that the rules for creating a secure password demand that the user string together meaningless things, some scientists say.

"Our brains virtually have infinite capacity," says James L. McGaugh, director of the Center for the Neurobiology of Learning and Memory at the University of California at Irvine. "There's absolutely no problem with capacity. We do have problems with interference. If you're required to have eight characters with a combination of letters and numbers, and then you're asked to change that every few months - jeez, how do you remember all that? It's confusion."

Take the password policy from Princeton University's Office of Information Technology: Passwords must have at least eight characters; at least one uppercase letter and one lowercase letter; and at least one number, but not at the beginning or end of the code. There can be no spaces between characters, no dictionary words, no personal names or numbers, and no sequential letters or numbers. And, if it weren't obvious enough, the policy adds: Don't write it down anywhere or share it with anyone.

"It's hard, but we actually get fewer calls to the help desk now," says Dan Oberst, director of enterprise infrastructure services at Princeton. "Because we made this a very strong password, we allow people to use the same password for different systems they need to access. Before this, they had to remember one each for 21 different systems. It was frustrating. We were getting calls from people asking us which password was needed for which system. Now, one password goes everywhere."

Password amnesia remains a problem at the University of Maryland, College Park, where about a quarter of the 400 daily calls to the computer help line are from people who have forgotten how to sign on to their machines.

'Easily guessable'

Some businesses profit off the memory lapses. Gaithersburg-based Password Crackers Inc. charges people $40 to $250 to hack into a file - after the client has proved that it is his or hers.

Company President Bob Weiss says his services have been sought for reasons ranging from a temporary "brain cramp" to a company's inability to unlock a file that belonged to a fired employee to a suspicious spouse who wants to see what his or her partner is saving on a mysterious file.

Weiss was once summoned when a company's computer administrator died in a car accident, taking his system's password with him.

"The vast majority of application passwords are easily guessable," Weiss says. "It's infrequent that I'm stymied by a password."

Then again, there is no need to guess when - for a price, and in some cases for free - software is available to do the job. Sophisticated password programs can run through all dictionary words, add numbers at the end or the beginning of words, replace I's with the numeral 1 and O's with zeroes, and try all symbols.

Computers can run through four-character permutations faster than you can type "password." Hence the admonition to form longer passwords that are more difficult for people and machines to figure out.

"Passwords are the weakest links," says Ron Nguyen, operations manager for the Advanced Security Center at Ernst & Young, where clients pay $4,000 to attend a course on "extreme hacking." "We spend quite a bit of time showing people how easily it can be done."

Cheat, but wisely

Security specialists say the increased use of biometrics - identification and access through iris scans and fingerprints - will lessen the reliance on password recollection. Until then, some experts say it's OK to cheat - just do so wisely.

Some people remember their passwords with the help of a tune or a phrase. Many use three or four levels of passwords, with the most complex protecting financial information.

"I just don't think we should load up our brain with unnecessary things," says McGaugh, the UC-Irvine memory expert and unrepentant password sinner who shares his codes with his assistant. "I worry about my bank PIN number, so I remember that. The rest I might hide away if I want on a very obscure file labeled with some obscure name like 'summer vacation plans.' I suppose there's some very devious mind who could look at that and say, 'Aha. That's where those codes are.' But that's not very damned likely."

However, some information technology managers - such as Joseph Naft, IT manager for the Maryland Technology Enterprise Institute at UM - stress orthodoxy and trust no one.

A year ago, Naft discovered that hackers had broken into the institute's system. Entry was a cinch. The password-cracking software Naft discovered in the system listed each person's user name and not-so-ingenious password. After Naft cleaned the system and added "firewalls" for protection, he became the institute's password czar. No one else is allowed to choose a password; Naft creates each one, long and unintelligible, for 50 people. Then he changes them all once a year.

"No one has a choice," says Naft, who won't divulge how long the codes are, just in case. "I do let them write it down. But they have to keep it locked up. ... Personally, I keep all my passwords in a special database that's password-protected."

'I've got nothing'

Passwords protecting passwords - the list just grows. It's enough to make Daniel Inglett go racing back to pen and paper and lock and key because all he really wants is peace of mind.

"I have three simple passwords I use for everything," says Inglett, a Butcher's Hill art consultant for private collectors. "Sometimes I have difficulty remembering those. Honestly, I don't see the point in it. I'm not doing anything of major importance. I probably could get zapped by somebody, but why would you want to hack my things? I've got nothing anybody wants."

Original article: http://www.sunspot.net/news/bal-te.bz.passwords07sep07,0,5338372.story?coll=bal-home-headlines

Our Software