Getting help to remember passwords

PLUGGED IN

July 13, 2006|By MIKE HIMOWITZ | MIKE HIMOWITZ,SUN COLUMNIST

One of the benefits of writing a column is that you get to gripe in public. So here's a gripe I've been nursing for months: passwords.

I have too many of them. In fact, when I counted mine this week, I came up with 42 logins for Web sites, data services, voice mail and e-mail systems. I can do this easily because, like most folks who have to juggle lots of passwords, I do exactly the wrong thing. I write them down - in a safe place, of course.

A bit later, I'll discuss one possible solution to the problem - software that collects your passwords, stores them securely and doles them out when needed. But first, let's gripe some more.

In 2005, RSA Security Inc. surveyed 1,700 business computer users. It found that almost 60 percent had to manage at least 6 passwords, while 28 percent had to manage more than 13.

And that doesn't count personal passwords for who-knows-how-many e-mail accounts, voice mail boxes and Web sites. Some are important, such as bank, credit card and stock brokerages, and some aren't. But they require passwords all the same.

Remembering that many passwords is beyond the capability of the average human - or even a really smart one.

It's worse when each system has different requirements for password length, capitalization and the number of numeric characters and punctuation marks it allows.

The most secure - and biggest pains - are systems that generate passwords themselves, usually strings of gobbledygook like "4jvKX3fred99+erk#2." Like I'm ever going to remember that.

Adding insult to injury, systems increasingly demand frequent password changes - and won't let you reuse an old password, or anything similar to a previous one, for months or years.

These precautions would be entirely prudent and reasonable if we only had to remember one or two passwords. But since most users have far more, they deal with the problem in the most obvious way.

According to the RSA survey, 62 percent write down their logins and passwords somewhere. A quarter use a spreadsheet or some other document on their PC, while 22 percent store them on a PDA or hand-held computer. Another 15 percent do it the old-fashioned way - on paper.

This uncoordinated but ubiquitous demand for passwords is counterproductive. It leads to behavior that actually makes it easier for thieves and spies to do their work. It encourages people to use the same password for all their systems - or as close to it as they can get.

It encourages simple passwords that are easy to remember, and just as easy for hackers to guess (birthdays and kids' names are favorites). The only recourse for most of us is writing our passwords down - somewhere that's easy to remember, and probably easy for an intruder to find.

I wish I had a simple, effective universal solution to this problem. If I did, I'd be rich and retired by now. But I've been looking at one approach that works tolerably well.

It's called a password cache or password safe - a term for software that stores all your passwords in an encrypted file - locked with a single password of your choice. When you have to sign on to a Web site or system, the program automatically retrieves the password you need.

These programs are generally easy to use, and most employ highly secure algorithms to scramble your passwords. Even so, they offer a single point of attack for an intruder - if he learns your master password, he has the keys to your entire kingdom.

So you need a really good master password. That means something long, and with a couple of numeric characters and punctuation marks thrown in.

It's not a bad idea to substitute a number for a similar alphabetic character, such as a numeric "1" for the letter "l" or "I", a zero instead of the letter "O" or a "5" instead of the letter "s."

Some experts suggest a password that combines these distracters with information from your past that friends, acquaintances and colleagues wouldn't know - such as the name of the street your family lived on when you were born and the name of your first pet.

Here's an example combining all of these: Let's say you grew up on Northfield Road, with a dog named Sandy. You could easily convert that into N0rthf1eld%#5andy. Not very easy to guess.

What happens once you've selected a master password depends on the software. RoboForm, a $30 program that has been around for years, is the Rolls-Royce of this category. It records logons and passwords in electronic storage bins called PassCards.

When you reach a protected site, a drop-down menu in your Web browser will recall the correct user name and password and enter them for you. Or you can use RoboForm to completely automate the process - it will start up your Web browser, call up the site you want and sign in for you. Can't think of a password for a new site? RoboForm will generate one.

The program also stores the information you frequently need for Web shopping or logging onto sites that require some kind of registration - including addresses, phone numbers and credit card info.

When you come across a new online form, the program figures out what information it wants and automatically fills out the form.

There's not much more to say about RoboForm - it generally works as advertised. It's occasionally stumped by redirected Web pages and expired security certificates, both of which disrupt the normal data flow in Web browsing. But they're the exception. You can download a fully functional trial version at www.roboform.com.

If you're willing to forgo the form filling and a few other bells and whistles, Password Safe is a free program that handles most of the same chores.

A new version (3.0) was released last month. You'll find it at http:--sourceforge.net/projects/passwordsafe/

mike.himowitz@baltsun.com

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.