That’s the mildest reaction I get from my clients when I dispense the advice encapsulated in the title of this month’s column.
“A password I remember I don’t need to write down, so it cannot be pilfered,” says the incredulous client.
“Not so,” I reply, and people are not sure whether I am joking or not. First, you always end up writing down the password, concerned that you will forget it after all. Second, to the extent that your password is memorable, that is the extent to which it is further from a random choice. And to the extent that your password is off-random, that is the extent to which it is easier to crack. And to the extent that your password is easier to crack, that is the extent to which your chances of becoming a cyber victim are boosted.
That old-timer financial executive countered: “How will a hacker know that my dog’s name is Rex, that my house number is 207, that I was born in New Jersey in 1964, so he can guess my password is “Rex207NJ64001?”
I stared at his password and said, “Your passwords for other accounts are Rex207NJ64002, Rex207NJ64003, and so on, right?”
“Yes, that’s right. How did you know?”
“I learned it from the hackers,” I replied.
Then I told him one of the cyber war stories featured in my book, The Unending Cyber War. It’s called “base + counter:” People construct different passwords for different accounts, or for periodic updates of the same account, by combining a fixed base, like “Rex207NJ64” with a counter, as in 001, 002, and so on. It makes the password rather memorable—and ridiculously vulnerable.
In one case, a hacker stored every failed password attempt so he could use it in conjunction with the name of the account owner to attack another system to which the same person has access. It is based on the human tendency to mix passwords and to try a password from one system when logging in to another. A smart hacker will offer free goodies to a target executive, who is then asked to open an account and supply a password. A respondent who supplies Rex207NJ011 will prompt his attacker to try Rex207NJ010, … 009, and so on.
It’s embarrassing to realize how we fall into similar patterns when we try so hard to come up with an “uncrackable” password. The market is deluged with very sophisticated pattern-recognition software that uses social media and any peripheral information to guess the passwords for juicy targets. Just remember this: No matter how secure a system is, if it admits surfers on account of their passwords, then their passwords are in the crosshairs of sophisticated sleuths.
But what about that annoying “prove-you-are-human” software designed to prevent hackers from trying countless attempts to get in? While there is no generic cracking program for it, any particular implementation of the concept can be addressed with tailored breaching software.
Here’s an example of how this might work. An eight-character password composed of digits and large- and small-cap letters will comprise a field of close to 3 trillion options. However, any faint pattern associated with the password cuts this number down significantly. When the instructions say, “Must include two digits,” or “No capital letter for the first character,” this translates to a pattern and considerably reduces the search field.
Names, songs, dates—anything that makes passwords memorable to us is a pattern-inducer, and a help to hackers. A good policy is to use a non-algorithmic random-number generator activated just when needed, not earlier, to dispense a truly random, non-memorable password for each account.
Yes, it’s a pain to walk around with the cue cards of all these passwords, and a much bigger pain to immediately change all these passwords on the occasion of even a suspicion of compromise. But that’s how it is. You pay with convenience to buy security. Or that is what you should do. Most of us pay with security to buy convenience.
Is there any relief in sight? There are plenty of promising concepts, but the plain old password seems to have enormous inertia. Of the many solutions, the fundamental one is the concept discussed in last month’s column: the evolving cyber identity. Alas, nothing major will happen until a bold leader challenges the widespread notion that successful hackers, like destructive hurricanes, are a law of nature.
—Gideon Samid • Gideon@BitMint.com