I figure I use something in the order of 150 different passwords over the course of a year. More if you count all the passwords I know that other people use. (Not kidding, I know the passwords of everybody at each client I do business with). Keeping those straight can be a wee bit of a problem.
The system I USED to use was to take a root password, say Raptors. At each site I would prepend initials. If I was doing work for IBM, my password there might be ibmraptor. This worked decently well until I had to enter an NCAA basketball pool at The Sporting News and TSN-The Sports Network. Oops, same password. That's when I started moving the appendix around. Some times I put it at the back, sometimes in the middle. The result was no more than three guesses at the password at various places. That broke down when I couldn't remember whether Fox News/Microsoft was FNM or MFN. The permutations eventually escaped my control to remember them all. Also, don't forget my memory issues from a couple of posts back.
Eventually, I came to rely on a program on my computer (plus one in my PDA) to record all passwords under ONE common password. I have to enter in TaraRaboomziyay to get INTO my database of passwords, wherein, I keep my collection. It might not be Tara's name, but you get the idea.
After some casting around, the program I use is an open-source (free and modifiable) effort called Password Safe. It can be found at the sourceforge site.
At the site, the author details the dire consequences of using the same password for many places. In fact, you should have a UNIQUE password for each site. I mentioned earlier that I know the passwords for users of the network AND my software at the various sites I am charged with at least partially maintaining. Betcha at least ONE of them, is using their email password from their home account at work. Betcha a LOT!
Now, here's how easy it is to steal somebody blind. Knowing their password and finding out some place they do business, say Amazon, I log into Amazon, I go to the login screen. Almost ALL sites have a 'Forgot your password?' link. I click that and tell them to send it to me at say 3am in the morning. It's all automatic. The person is not up at that time, but I AM! Using their email, I go to their internet service provider and log into the web-mail interface and check the new mail. The returned password to the Amazon account will be there, guarantee it.
Once I have THAT email, I go into the account. I change a few things, such as where to deliver. Then I order a big bundle of books, intending for them to be delivered to some random location I can check, but that ISN'T my house. I then log back into the webmail account and delete the confirmation emails Amazon sends. I await the delivery of the big bag of books, collecting them on the delivery date. Only after the person gets a BIG credit card bill does the investigation start. Meanwhile, I'm in the easy chair reading the collected works of some author I NEVER order, say that Willy Shakespeare dude.
Of course, this whole scenario has some fleas, due to more diligent checking on Amazon's part than I've just described. But the basic concept is extremely possible.
You MUST not let your password, especially your email password, loose. If you even SUSPECT some other party might know it, change it.
The art of making passwords is a mystery to most folk. Using actual words are really stupid, as are names of loved ones and maybe even not-so-loved ones. For years I recommended spelling words and names backward. After a few times, even an absurd password that is the backwards spelling of another word is easy to remember. Using random capitals and punctuation marks also help. SIDE CHUCKLE: For years, I used one lady's name backwards as my standard password. Mentioned it to her in passing and she noted that I had mis-spelled spelling her names backwards. So I also suggest spelling names sideways.
One of the reasons Password Safe is a good program is that it suggests passwords for you. Takes the pain right out of the creativity. You tell it how many letters, whether to use punctuation and whether to mix and match capitals. It does the rest, checking quickly to see if the password might be in a hash dictionary. Once it rules out easy, brute force guessing, it gives you a delightfully unguessable password. So unguessable, if you don't have access to Password Safe, you aren't getting in.
That's when YOU get to click the 'Forgot your password?' link.
No comments:
Post a Comment