A few weeks ago, Jesper Johansson, a senior manager for security policy at Microsoft,
created news when he told Australia's national Computer Emergency Response Team, or AusCERT, that security professionals had it wrong
whenever they recommended against writing down passwords. His rationale? "I have 68 different passwords. If I am not allowed to write any of them down, guess what I'm going to do? I am going to use the same password on every one of them."
To be or not to be
To put it another way, a reader recently asked me whether it was better to have a complex password that you repeated often or to have several different passwords. I want to say both, but I know in practice that I have occasionally reused passwords, especially for online newspaper registration to otherwise free content. I would never reuse a password for any paid accounts or anything of value, such as access to my work computer.
A reader recently asked me whether it was better to have a complex password that you repeated often or to have several different passwords. I want to say both.
But let's say you visit Amazon only during the holiday season. A year has gone by, and you can't remember that unique password you gave your account. Fortunately, sites will e-mail you your lost password. Sometimes, though, the password is not really the string of alphanumeric characters you typed but instead a randomly assigned sequence. That's because many Web servers don't really remember your password as you typed it; rather, they covert it to what's called a hash value.
One reason companies do this is that hash values are secure (your password isn't stored on a database somewhere); another reason is that hash algorithms are designed so that no two passwords will result in the same value. Whenever you type your password, the computer or Web server runs it through an algorithm that generates a hash value. Once created, most password hash values are also encrypted, although not necessarily, then they're stored on your hard drive or the server you're logging in to. Only if you type your exact password will the hash value match and give you access. Thus, your computer or server doesn't recognize daisy@may54 but rather some hash representation of that; so if you type in dasy@may54, the machine would see an entirely different hash value, not the one it's expecting, and it would bounce your password as incorrect.
That's why when you lose a password and need to call your bank for account access, you shouldn't expect the tech support person to offer you your old password; that person doesn't know your original password. But after he or she assigns you a new password--either by e-mail or over the phone--I strongly recommend that you log in to your account and immediately change the password. Most e-mail is sent in clear text, and perhaps I'm a bit paranoid, but a hacker could read that newly assigned password. As for someone assigning you a new password, it goes without saying that you should change the password at your first opportunity.
When choosing a password, either a new one or a replacement, consider the following:
--Don't use popular movies, titles, or phrases.
--Don't use personal information, such as birth dates or anniversaries.
--Don't use words found in dictionaries or borrowed from other languages.
Should you write down passwords? I must admit that I do--but not on a Post-it Note near my computer.
If you think Fun4U is a clever password, think again. There are tools on the Internet, such as John the Ripper, that use dictionaries of common words and phrases and can--through what's called a brute-force attack--be used to crack a password. For security purposes, some IT staff use tools like John the Ripper to weed out weak passwords among employees. For criminal hacking purposes, the use of such a tool is entirely obvious.
So what do I recommend for a strong password?
--Always use at least eight characters, including alphanumerics and symbols.
--Use different passwords for each account you want to protect.
--Change your passwords regularly.
So we're right back to where we started, with Jesper Johansson saying he has 68 complex passwords. Should you write passwords down? I must admit that I do--but not on a Post-it Note near my computer. I keep my passwords written down somewhere else, and I don't write "Amazon: 1a2b3c4d"; rather, I code them so that I know the context of the password whenever I see the list. For example, "Books: 1a2b3c4d" might be my designation for my Amazon password.
How do you store, remember, and create unique passwords--or do you use the same ones over and over? Talk back to me.