Tuesday, July 21, 2009

Awash in the Seas of Passwordia

The new stuff is all working fine -- phone, computer, TV -- but the result of it is another half-dozen passwords, to go with the dozens we already have. I will be soooo glad when retinal readers or thumbprint scanners get good enough to figure out who I am online so I can relax my brain.

What was the password for my phone messages? Which is different on the website than on the phone itself ... ?

I'm not holding out a lot of hope for that, though. My wife had to get a security check for a PDX badge on her job, Homeland Security was in charge, and they had to run her prints through the FBI. As it turns out the wonderful high-tech scanner won't pick up her prints, and they don't use the old-fashioned ink version. So they had to do a manual background check. Went back for the last ten years worth of employers, right? Which employers are the same one, since she's been there that long.

Two steps forward, one step back; the right hand doesn't know what the left hand is doing ...


Viro said...

I hear ya! I have about forty or so passwords I have for web sites and probably an additional twenty to thirty that I use for work.

I use KeepassX as my password manager. It's pretty good.

Here's an article to choosing good (and easy to remember) passwords: http://lifehacker.com/software/passwords/geek-to-live--choose-and-remember-great-passwords-184773.php

Using the article's methods, I'm able to make (and remember!) passwords that are around 140 bits.

KeepassX has a field that will tell you how strong your password is as you enter it.

Here's a site that lists how fast a given password will take to be cracked: http://www.lockdown.co.uk/?pg=combi&s=articles

Anonymous said...

The left hand doesn't know what the right is doing.

That's what keeps things fun! Always a surprise around here!
Don't bother learning the rules, half of the government employees don't and are just going to tel you you're wrong anyway!

Steve Perry said...

I think passwords are like locks on your house doors -- designed to keep the honest people out. I try to come up with a combinations of words and letters and cases, but the truth is, I'm not going to sit and input a fifty-character password every time I log on to anything. If i'm dealing with the kid who robs banks by sticking a electronic card into the RediTeller, he is going to be able to read my email ...

Dan Moran said...

I will be soooo glad when retinal readers or thumbprint scanners get good enough to figure out who I am online so I can relax my brain

Not in your life or mine. You can fool modern thumb readers with a photocopy of the thumb. When better thumb scanners become common, people will hack databases of thumb images -- instead of hearing about the credit card database that got compromised, you'll hear about the thumbprint database that got compromised, and hackers will sell software-based "thumbprint emulators" to fool websites.

It's a moving target. All you can do is stay abreast.

The current best practice is to use pass phrases, not passwords. It's a lot easier to remember:




And, at least with modern cryptographic cracking tools, which are aimed at dictionary & brute force attacks, you're less likely to get hacked. The dictionary attack fails (which it will, above) and the attacker falls back on brute force -- 38 characters is harder to brute than 12.

Viro said...

Oh most definitely. I think most of the big hacks are done through software exploits or social engineering.

My sister in law used to keep her passwords simple. Then her husband, who had promised to stop blowing goodly portions of his money on online poker, fell off of the water-wagon.

He didn't have any cracking software, but he did know the more obvious choices and had/took the time to correctly guess a few times.

That was a few weeks ago. She said she found a password he wouldn't guess.

Hah! Now that I'm thinking abou it, I believe he did guess the password.

I'm house-sitting for them this week and I remember their computer's fan running last night.

Windows would normally go into sleep mode, but it wasn't. So I'm guessing the adware from the poker client is keeping it awake.

joycemocha said...

A life history of eczema does a real number on your fingerprints. I was able to get fingerprinted successfully once. The other two times didn't take--at least one of those was during an active outbreak on my fingertips. All three used ink.

jks9199 said...

Computer security is like physical security. If someone wants in bad enough, and is willing to work at enough, and accept any consequences -- they can get in. Biometrics have the potential to be some of the best tools, especially in combination with passwords. But there'll still be people beating them within days of the first time they're installed.

Re: Fingerprints and eczema.

When your skin is peeling, and there's no ridge pattern to speak of, you won't leave prints. (I know; I've got the same issue, though it's been quite a while since I that severe of an episode. And I've probably just jinxed myself...) You MIGHT leave what's called a plastic print (embedded in a material, like leaving a handprint in fresh concrete), depending on how bad your fingers are and how closely they examine the material. If you've got ridges, you'll leave marks with ink, if it's rolled correctly with the right pressure. You may well have problems with the digital devices; I do sometimes. Use a good moisturizer shortly before, and only wipe it off right before they print you. That may help. (I'm assuming you need prints for things like being a teacher or working with kids... if you're arrested, it'll be worked out.)

Guys who do drywall (especially mudwork) and masons/concrete workers also have major problems with the electronic scanners...

And being polygraphed can be a real pain... The Galvanic Skin Response sensors don't always work right on my affected fingers.