Password Security

Dear Colleagues,

A number of people have thanked me for my emails, and made a particular point about how they're saving all of them to a special folder to read 'later'. I know all about 'special folders' where you put things you don't have time to do right now, so I went back to my office and sobbed quietly to myself. The library was full of students, so it was a bit awkward.

Save if you like, but keep in mind that information streams from the inter-tubes much like water gently bubbles from a fire hose. Your email is likely searchable, I keep a slightly altered copy of these emails on a blog (http://teaching24-7.blogspot.com/), so keeping unread items in a folder to not read later isn't necessary - the information will be there (and if it isn't there Google will have 1.3 million hits of equivalent information).

With that in mind, I will endeavor to keep my emails down to only one or at most two items each. Quicker to skim to see if it's useful, and then pressing 'delete' if it isn't.

The first is a method to make keeping secure difficult-to-hack passwords easier to remember. I long ago lost count of the different number of sites I need a different password for. Remembering all this information is a challenge, and many people have come up strategies to meet this challenge. Using the same password on multiple sites, or 'class' of sites is one such method, using easy to remember passwords is another. I've seen passwords written on paper and stuck in drawers, and on the backs of monitors. Easy to remember passwords are also easier to guess (remember that unlike T.V. people don't guess passwords individually, they set up a computer to guess thousands of times per second using dictionaries and other common passwords). The difficulty with one password for all sites is the if one becomes compromised, they all do. It may not matter of someone hacks into your account for leaving comments on a blog, but if they can use that to get into your bank account, Facebook friends, or online email it's quite another. While someone posing as you could be embarrassing, it can also be used to ask your contacts to send you money - claiming to be stuck in a foreign country while traveling. With access to your email, it's trivial for a third party to determine when you might be out of country to make such a ploy possible. This doesn't even touch the severe and ongoing problems true identity theft can create. As a teacher, imagine if someone used your account to email all of your students inappropriate comments - I'd think I'd prefer my bank account being hacked instead.

It often seems, however, that I'm stuck in a catch-22. If I don't write a password down, I need it to be something I can remember, which means someone might be able to crack it. If I do make it complicated enough (i.e. minimum 8 characters of a mixture of letters, numbers, and/or symbols), then I need to write it down somewhere so that I can refer to it often - which opens up the possibility that someone would find my note.

The neatest solution I've seen to this problem in awhile is http://passwordcard.org/ . The website will generate a unique set of random numbers and digits that look like so:

And I know you're saying "Thanks Ron, just what I needed - another set of incomprehensible letters and numbers".

The usefulness of the card is that the card itself allows one to meet the duel purpose of having passwords that are hard to crack by people 'out there', and have something that can be taped to your monitor, put in your wallet, etc, to refer to. As an example how it works, let's say you are going to use an 8-digit combination for your online bank password. Rather than memorizing a complex string, I remember "green happy face". Going down from the happy face symbol at the top, and the green line, my new password is "RVffH3y8" which is more than sufficient to meet security requirements, and difficult to hack.

Even better, I can print out this card, have it laminated, and put it in my wallet in case I forget the password. I can tape it to my computer, keep copies in my desk, etc. It doesn't matter if someone sees the card - there are literally thousands of combinations that are possible, running the combinations forwards, backwards,

up, down or any other easy-to-remember pattern:

I can use it and not even worry if someone is reading it over my shoulder, I lose my wallet, etc. I have the convenience of keeping my password written down when I need it, but without the added worry that it could be found and used by someone else. The website also gives the option to include a few rows of only numbers (for things like PINs) and can include symbols (just to take security up that extra notch).

As well, don't have the same security password for different purposes - the password I use for my blogs should be different from the password I use for my bank. The security of some websites varies in quality. I've even had one website directly email me my password when I successfully convinced them that I didn't remember it - if something is sent in a plain email then that password has been compromised, and was never secure to begin with. Websites with proper security and encryption would either reset your password and email you a random temporary one, or a link to reset your own password. If you can read it in your email, then you can assume anybody else between you and the servers could have read it too.

So I use the card to generate multiple passwords:

In this particular example I just remember "Green Happy face down" for RKbUzQL6, and "Red Umbrella Up" for FbtECqL9. Both are difficult to hack, but I can carry both with me at all times.

If this appeals to you, I'd recommend generating a unique version at http://passwordcard.org/ and then copying that picture and printing off several colour copies. Laminate one for your wallet, put another in your safe or file cabinet as a back up.

Passwords are your first, second, and last line of defense for your personal identity - if you spend a little time creating a secure system, you will have much less to worry about later on.

Regards,

Ron Neufeld

Canada's Best Boarding School