• HOME
• Writing
• About Mike
• Articles
• Photography
• Email Me

Ann Arbor Business to Business
Small Business and the Internet

Passwords

July 2004

By Mike Gould

"Swordfish" ...The secret password in the Marx Brothers film, Horse Feathers.

Groucho needed the above password to get into a speakeasy. You need a password to get into your email, servers, bank account, various shopping sites and other secure places online.

What worked for Groucho doesn't work for you, as a few changes have come down the pike since 1932. We don't even use pikes any more; we use the Internet for most of our daily business. (A pike is a large fresh-water fish, often substituted for swordfish, but I digress...).

[Editor's note; Mike went into an even longer digression, something about fish, nets, and networking. This was edited out for reasons of brevity, sanity and mercy.]

A Password to the Wise
With the rise of identity theft and other evils of the Internet, we need to tighten up our online security behaviors. We are no longer protecting just the contents of our email, we are shielding our credit ratings, bank accounts and online identities. There are large books written on this subject, but I will try to sum up here with some explanations, recommendations, and fish jokes.

Swordfish is a lousy password because it is a word found in the dictionary. There are ways of attacking password-protected sites by running a computer program that systematically inputs all the words in a dictionary into a password field on an entry screen ("Anchovy? No. Bass? No. Cod? No...Swordfish? Welcome! You've got mail!"). For this reason, the first rule of password selection is: nonsense - pick letters and numbers that do not make up a normal word. Especially words like "password", your name, your account name, your accountant's name, etc.

Open Sesame
So what sort of password do you use? Here are some of the usual recommendations gleaned from various security sites on the Web:

• Use at least 8 characters.
• Include one or more digits or punctuation marks (p@ssw0rd.
• Use mixed case (pAssworD).
• Choose a phrase or combination of words to make the password easier to remember (more on this below).
• Don't use a common sequence of characters (abcd, 1234, etc.)
• May be two words separated by a non-letter non-digit (past*word).
• May have non-printing characters (such as spaces).
• Use different passwords for different accounts.
• Change password regularly and don't reuse passwords or make minor variations such an incrementing a digit.

Yeah, But...
"I have 15 different accounts I need passwords for; I can't remember all that stuff!" I hear you complain, bitterly. I feel your pain, and share it, for I am in the same boat.

All password systems are a trade-off between security and convenience; the more secure a system is, usually the less convenient it is to use, in that you have more complicated passwords to remember. A really secure system will require you to change your passwords monthly, never repeating them, and not permitting words that violate the above guidelines. This is the sort of system that tends to result in passwords written on a Post-It tucked under the keyboard, which sort of defeats the whole purpose of it all.

Passwords of Advice
Disclaimer: the following works for me, but is not the most secure way of doing things, as it violates several of the above recommendations. You have to determine your own security/comfort level.

My strategy is as follows: establish a hierarchy of security. Let's say you have an online bank account, an email/server account, an account on your own computer (assuming you are using any of the recent versions of Windows or Macintosh OS X) and a variety of accounts with online entities (fishingnews.com, luresRus.com, bait.com, etc.).

The bank account and email/server account are top security risks, and must be treated with the full respect accorded by the rules above. You want some line of gibberish to protect these two accounts. Here's what you do: get musical. Here's a splendid password: "S1twsmam". How do you remember it? Easy; it's the first words to that Beatles fishing chantey: "Salmon in the way she moves, attracts me..." You capitalize the first letter, substitute a "1" (one) for an "i" and you have a baffling password that will never be guessed. Use this for your #1 security site, and a similar cipher for your #2 site - maybe based on the next line of the song, or the next song on the album. (The album, of course, was Abbey Roe, and the next song was "Maxwell's Silver Hammerhead" - you do the math.)

Next up: the password that gets you into your computer. Here you have the added security of a locked-up environment, your home. Unless you have Internet-based file sharing enabled, you don't have quite the security needs of accounts exposed to the Russian Mafia on the Internet. If you are opening ports to the 'net so you can access your home computer from work, for example, then the same rules for banks apply, so set a password as above. This password protects you if your computer is stolen or if you have things on your hard drive you wish to keep confidential from family members, etc.

Here, an easier-to-type password will do. I follow the rules above, but with fewer characters. You could use the title of your favorite song, for example: "Aws0p" is easy to remember as Procul Haddock's "A Whiter Shad of Pale". Capital A, "0" (zero) for "o", and you're locked up.

Finally, for passwords I'm not too concerned about, I have an all-purpose word that is easy to type, yet obeys most of the rules above. This word I use for any Web site that insists I join their little family of consumers or whatever. I figure I'm not protecting much with this, so ease of use wins out here. You could use "\][p" as a password in this case - just run your fingers across the keys in the upper right of the third row of your keyboard. Again, don't use this for any account that involves credit card numbers or other sensitive information.

A final word of advice: all this is for naught if you ever give out your password or other sensitive information by responding to an email or phone call from someone posing as a representative of a company you do business with. This is practice is called "Phishing" (seriously) and is a common way to con you out of your security. Reputable firms will NEVER ask for secure information online or by phone.

Mike Gould is a mouse wrangler for the U of M, runs MondoDyne Web Works, is a member of Factotem.com, and welcomes comments addressed to mgould@mondodyne.com.