Safekeeping for passwords

Don't leave written copies lying about

revise often to deter computer thieves

August 03, 2008|By Tim Barker | Tim Barker,St. Louis Post-Dispatch

ST. LOUIS - In the world of passwords, there's a right way and a wrong way to protect yourself.

Cliff Gaines of University City, Mo., has lived on both sides of the line.

A decade ago, he was a poster child for how to do it wrong. His passwords were complicated enough. But he was committing a cardinal sin in the eyes of security evangelists: He was writing them down.

Those are five words that make most experts cringe. How, they ask, do you expect to keep yourself - or your employer - safe from identity theft and computer fraud if you leave the keys to your life scribbled on a piece of paper?

Turns out it wasn't such a great system for Gaines, either.

"From time to time, I'd pull it out. But then I'd lose it," Gaines said. "After that, you play tricks with your mind, wondering what you did with it. Was it on that business card I just gave out?"

Armed with a new system - based on the names of his favorite cars - Gaines long ago left the dubious ranks of those who put passwords on paper.

But if you've ever done it, don't worry. You have company, probably the person sitting next to you in the office.

In a survey of 800 high-speed Internet users in the United States and the United Kingdom, slightly more than half of the U.S. respondents confessed to writing down their passwords. And nearly half of the survey group said they used the same password over and over again - another big no-no.

Elizabeth Niedringhaus, president of SSE Inc., a technology consulting firm based in Maryland Heights, a suburb of St. Louis, has seen it all before.

"I can guarantee you if you walked into most small businesses and looked under the keyboards, about 30 percent of them would have their passwords written on little Post-it notes," Niedringhaus said.

It's merely a sign of the times we live in. Anyone spending time with a computer and the Internet is bound to have at least a dozen passwords to track. You have them for work, eBay, PayPal, online banking, favorite stores, message boards and social networking sites like Facebook or MySpace. Some must be changed every 60 or 90 days. Many have at least eight characters and contain numbers, symbols and capital letters.

Keeping them straight can be mind-boggling.

Just how critical it is depends on whom you ask. There is some debate about the value of passwords in the battle against the computer crimes that victimize 8 million people each year, costing more than $15 billion annually, according to the Federal Trade Commission.

Generally speaking, the risk of someone actually guessing the password to your online banking account is quite slim, particularly when you consider that most commercial sites limit users to a handful of guesses before the account locks up.

It is far more likely that identity theft will result from carelessness that has little to do with the strength of a password.

"By far, the greatest risk is that you will provide your password to someone," said Fred Cate, a professor at Indiana University School of Law.

It might be a friend or a family member you trust. Or it might be the person on the other end of an e-mail phishing scam - maybe the one masquerading as correspondence from your bank, urging you to log in to your online account to correct some issue.

Still, Cate says there's no reason not to create strong passwords: "Why not be smart about it? It's just like insurance. Most people who buy that never actually have to use it."

But that doesn't change the thinking of computer users like Chad Carter of Florissant, Mo., who commits half of each password to writing and the other half to his memory. Identity theft isn't something he worries about.

"I'm sure it does happen randomly, but the odds of being targeted are pretty slim," Carter said.

Some say that sort of thinking is what creates opportunities for identity thieves, who use a range of methods to get what they need from us.

The simplest are the brute force and dictionary attacks - computer programs that try over and over to guess your password. These attacks are the reason experts caution against using words found in the dictionary for your password and why employers make you change passwords every 90 days.

Another favored method is the use of Trojan horse programs to sneak into someone's computer to look for passwords, credit card numbers and other data that could be used for identity theft.

"In the old days, you would have to go from trash can to trash can looking for information. Today you can write a program that does all the work for you," said Todd Feinman, chief executive officer of Identity Finder, a New York City firm that specializes in safeguarding personal info.

Feinman suggests the use of password vaults - secure computer programs that keep track of all of your passwords. All you have to do is remember the password to the vault.

Hackers also target Web sites with lax security, looking for lists of user names and passwords. They have no desire to masquerade as you on your favorite scrapbooking Web site. Instead, they hope you use the same user name and password combination for sites like eBay and PayPal.

The trick to keeping yourself secure, on the other hand, is all about making your passwords complicated. A combination of letters, numbers and symbols can work wonders against malefactors.

But, there also is a school of thought among tech folks that writing a password down isn't the end of the world - as long as you keep it somewhere safe.

Greg Muschong is a computer tech for the Shriners Hospital for Children in St. Louis, which requires employees to pick a new password every 90 days.

"If they aren't allowed to write it down, they'll forget it," Muschong said. "That's just the way it is."

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.