On MovieTome: TRANSFORMERS 2 SPOILERS!

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
Security Watch : Don't get burned by viruses and hackers
Writing down passwords
E-mail to a friend
Send us feedback
TalkBack
TalkBack:
Add your opinion
By Robert Vamosi 
Senior editor, CNET Reviews
June 3, 2005

A few weeks ago, Jesper Johansson, a senior manager for security policy at Microsoft, created news when he told Australia's national Computer Emergency Response Team, or AusCERT, that security professionals had it wrong whenever they recommended against writing down passwords. His rationale? "I have 68 different passwords. If I am not allowed to write any of them down, guess what I'm going to do? I am going to use the same password on every one of them."

To be or not to be
To put it another way, a reader recently asked me whether it was better to have a complex password that you repeated often or to have several different passwords. I want to say both, but I know in practice that I have occasionally reused passwords, especially for online newspaper registration to otherwise free content. I would never reuse a password for any paid accounts or anything of value, such as access to my work computer.

A reader recently asked me whether it was better to have a complex password that you repeated often or to have several different passwords. I want to say both.

But let's say you visit Amazon only during the holiday season. A year has gone by, and you can't remember that unique password you gave your account. Fortunately, sites will e-mail you your lost password. Sometimes, though, the password is not really the string of alphanumeric characters you typed but instead a randomly assigned sequence. That's because many Web servers don't really remember your password as you typed it; rather, they covert it to what's called a hash value.

Hash this
One reason companies do this is that hash values are secure (your password isn't stored on a database somewhere); another reason is that hash algorithms are designed so that no two passwords will result in the same value. Whenever you type your password, the computer or Web server runs it through an algorithm that generates a hash value. Once created, most password hash values are also encrypted, although not necessarily, then they're stored on your hard drive or the server you're logging in to. Only if you type your exact password will the hash value match and give you access. Thus, your computer or server doesn't recognize daisy@may54 but rather some hash representation of that; so if you type in dasy@may54, the machine would see an entirely different hash value, not the one it's expecting, and it would bounce your password as incorrect.

That's why when you lose a password and need to call your bank for account access, you shouldn't expect the tech support person to offer you your old password; that person doesn't know your original password. But after he or she assigns you a new password--either by e-mail or over the phone--I strongly recommend that you log in to your account and immediately change the password. Most e-mail is sent in clear text, and perhaps I'm a bit paranoid, but a hacker could read that newly assigned password. As for someone assigning you a new password, it goes without saying that you should change the password at your first opportunity.

Strong passwords
When choosing a password, either a new one or a replacement, consider the following:

--Don't use popular movies, titles, or phrases.

--Don't use personal information, such as birth dates or anniversaries.

--Don't use words found in dictionaries or borrowed from other languages.

Should you write down passwords? I must admit that I do--but not on a Post-it Note near my computer.

If you think Fun4U is a clever password, think again. There are tools on the Internet, such as John the Ripper, that use dictionaries of common words and phrases and can--through what's called a brute-force attack--be used to crack a password. For security purposes, some IT staff use tools like John the Ripper to weed out weak passwords among employees. For criminal hacking purposes, the use of such a tool is entirely obvious.

So what do I recommend for a strong password?

--Always use at least eight characters, including alphanumerics and symbols.

--Use different passwords for each account you want to protect.

--Change your passwords regularly.

Final thoughts
So we're right back to where we started, with Jesper Johansson saying he has 68 complex passwords. Should you write passwords down? I must admit that I do--but not on a Post-it Note near my computer. I keep my passwords written down somewhere else, and I don't write "Amazon: 1a2b3c4d"; rather, I code them so that I know the context of the password whenever I see the list. For example, "Books: 1a2b3c4d" might be my designation for my Amazon password.

How do you store, remember, and create unique passwords--or do you use the same ones over and over? Talk back to me.

Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




5/27/05
Of ID theft, Paris Hilton, and methamphetamines

5/20/05
Why the Sober virus is still messing with your PC

5/13/05
Is your Toyota Prius safe from computer viruses?

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

TalkBack
235 messages

Article discussion: Security Watch: Writing down passwords

Post a comment

Latest post:

"writing down passwords"
by netrnnr (See profile) - November 29, 2005 9:33 PM PST
The idea that writing down your passwords is bad is a rediculous notion. Now, how you do it is important.

In the old days a PGP Encryped Text file was the way to go.

... (Read more).
Sort by: Title |
Date
| Most helpful
See all posts

spreadsheet password

I do believe that excel has a week password encryption system. Not only that, b... (Read more)
by Michael00360 (See profile) - September 6, 2005 2:16 PM PDT

Use one unsecure password

Wow, this article has generated a lot of conversation, and I haven't read them a... (Read more)
by Janos Drencsan (See profile) - August 10, 2005 6:33 AM PDT

What to do with passwords

I will have to admit that for a long time I used the same password for everythin... (Read more)
by sroyeton (See profile) - July 25, 2005 1:09 AM PDT

Passwords

I write down my passwords and put them all in the same place. It's the best way ... (Read more)
by cupcake51 (See profile) - July 6, 2005 8:29 PM PDT

Never used 1 password

I never use 1 password for all log-ons. Fingerprinter is one of my way to remem... (Read more)
by Donna Buenaventura (See profile) - June 30, 2005 4:44 PM PDT
3 comments

easiest simplist way u can get a password

What I usually do with my passwords,I pick something simple I can remember like ... (Read more)
by cyrpt_on (See profile) - June 27, 2005 1:08 AM PDT

How I store my passwords.

I have a password-protected MS Access MDB file with my passwords in it. Alas, I ... (Read more)
by  (See profile) - June 23, 2005 5:23 PM PDT

I have a suggestion on passwords

I have one core password which might be Axnt49no. When I go to a particular web... (Read more)
by mpmccarthy (See profile) - June 20, 2005 8:04 AM PDT

Don't make a hash of it.

You make the statement: "...hash algorithms are designed so that no two password... (Read more)
by cohagan (See profile) - June 20, 2005 6:06 AM PDT
See all posts

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use