Cringely may know enough about social security fraud that the DHS want his advice, but I'm not sure he's got good advice about password security.

He starts well:

Identity thieves... can start a sweepstakes website that requires only free registration to win that cruise of a lifetime to Bora Bora. And in doing so the thieves can know that a majority of registrants will use a username and password combination that they also use at a lot of other sites, like bank and brokerage accounts. Not only don't they need to actually award the cruise, they don't even have to break into your bank account in order to benefit from the username/password combo. They just sell that information to another crook.

But the conclusion:

So CHANGE YOUR DAMNED PASSWORDS and put an end to this kind of scam. Perhaps remembering new character strings will help to stave off Alzheimer's.

This has to be terrible advice:

If the crook can get to your bank, and work out that you've used the same password details (he doesn't say how the crook is going to get your bank account number) then one thing is certain - the crook can get there faster than you want to change your passwords. Suppose the crook is going to sell the personal info that night in the pub to a mate whose going to plug the data into his account cracker later on that week. That means you should be changing all your passwords at least once per week. And that's only going to stop the slow crooks.

Things that help password security:

• Complex strings that are not guessable.
• Passwords that differ from site to site

I'm yet to see any situation where changing your passwords helps. If the bad guy once knows your password and can impersonate you, the chances are that he's changed your password and locked you out, or installed a backdoor so changing your password doesn't keep him out anyway.

So how do you use a different complex passwords on each site and still remember them all?

This is a good trick. It uses 3 components:

• Pick a random string of 4 characters containing upper/lower case letters and numbers. e.g. tS8j
• Decide on a way to mangle the domain name of the website to get 3 letters that are not obviously related to the domain. Suppose you want 3 letters from google.com. You could pick the 3 from the end in reverse order: elg, you could type the first three letters one key up on your keyboard: t99, you could Caesar shift: hpp, pick the middle 3: oog, etc, etc.
• A single digit/letter that you can increment (or decrement) when someone insists that you change your password.

Then put those characters together in some order, so you might end up with tS8jelg0 or oogAtS8j. Then use the same system, with the same set of 4 random characters, just changing the 3 characters per domain and the one character whenever someone forces you to change.

This may sound overly complex and paranoid, but it is lots easier than changing your passwords on a regular basis, and far more secure.

Using regularly changing passwords just forces you to use simpler passwords to avoid forgetting, and simpler passwords are far more of a risk than re-using passwords, or using guessable ones.

Responses[5]

Posted by Joe Walker on 20 November 2007 10:32:45 GMT #