Trust me, you can tell me your password

Future Tense for Mar. 20, 2007

By Steve Welker

What’s your password?

It’s OK, you can tell me. I’m a network systems administrator. We have all the passwords and I could look it up, but I’m in a hurry. Honest, you can trust me.

———

There was a time when that kind of “social engineering” — using psychology instead of hardware to unlock people’s computers — worked pretty well on everyone from bankers to school secretaries.

Nowadays, most people know they shouldn’t give passwords to strangers.

However, people still take candy from a stranger — chocolate eggs and Hershey bars work well — and some people give away their passwords in return.

Just before the annual Infosecurity Europe conference in London, two of the organizer’s staff members went to Liverpool Street Station and offered candy to people who would answer a few survey questions about computer security.

One question was, “What is your password?” More than a third of the people — 37 percent — told the staffers.

To anyone who wouldn’t, the staff member then said, “I bet it’s to do with your pet or child’s name.”

An additional 34 percent then revealed their passwords.

One banker refused to answer the first question, but said his daughter’s name is his password, “But, of course, I couldn’t give that to you,” he added. Finishing the survey, the staffer casually asked, “Do you have any children?” “Yes, a girl,” the banker replied. “What’s her name?” the surveyor asked. “Tasmin,” the banker said.

Another executive said he had trouble remembering passwords that had to be changed every month. His “foolproof” solution: “I use my wife’s name and the current month.” He wouldn’t reveal her name, but it was in the city directory.

Some of the most-common passwords in the IE survey were partners’ or children’s names (15 percent), sports teams (11 percent) and pets (8 percent). In other surveys. birthdays and anniversaries are common, but the most frequently used numeric combination remains 123456 or a variation (12345, 1234, etc.).

Passwords have been used for thousands of years to separate friends from enemies at the fortress gates or on a camp’s perimeter. In the Bible, Judges 12 says Gilead’s soldiers on the Jordan River crossings made strangers repeat the word “shibboleth.” Their enemies couldn’t pronounce the “sh” sound. For 42,000 Ephraimites, “sibboleth” wasn’t only the wrong password, it was their last word.

In the time of Christ, Roman legions took passwords very seriously. If a soldier on guard duty didn’t know the current password, they executed him.

In the 18th century, “1001 Arabian Nights” told how Ali Baba gained entrance to the cave of 40 thieves with one of the world’s best-known passwords, “Open, sesame.”

In the 19th century, Guy de Maupassant wrote an unforgettable short story about two French fishermen who died before a firing squad because they would not reveal a password to the Prussians.

In 1983’s “War Games,” a teen-aged computer whiz saved the world by guessing the W.O.P.R. computer’s password, the name of its creator’s son, “Joshua.” At least the head of security, Mr. McKittrick, had a sensible password: 7KQ201.

“Hackers” told filmgoers the four most-common passwords in 1995 — password, love, sex and God. Times have changed. Today, “love” has slipped to No. 3 or No. 5 (depending on whether you count 12345 and 1234 as separate entries), “password” is below “love,” “sex” is down to No. 10 and “God” dropped off the top-20 list. I’m not going to reveal the No.1 most common password to 25,000 readers, but send me an e-mail and I’ll share it with you.

Most people hate having to remember passwords, especially because the best ones have no association with anything they can easily recall. Network security administrators prefer their users to have cryptic combinations of letters (in upper and lower case), numbers and symbols like 573|_|&//, which is my first name, Steven, spelled in leet (a cipher language also known as 1337).

The password security problem is growing as more and more people buy, sell and transact business on the ’Net. Stealing a password can be more valuable than stealing cash .

It’s clear we’ll need better security than commonly used passwords ... in the future.



Feedback for Trust me, you can tell me your password

Reader Opinions and Discussion

No Comments
Please send in feedback below.



Leave Feedback on Trust me, you can tell me your password

Share your thoughs and opinions.

Name:
Site:    http://
Email:

Comment:

Don't enter anything in this field:



Saving the past's photos for the future

Future Tense for Mar. 13, 2007

By Steve Welker

If your family is like mine, it has scads of old photos tucked away in scrapbooks and albums, in the original envelopes from the film processor and possibly in some old suitcase handed down from your grandparents, aunts or uncles.

Nowadays, everyone uses digital cameras. Better and less expensive [read more]



Is America prepared for cyberwar?

Future Tense for Mar. 6, 2007

By Steve Welker

This month's (15.09) issue of Wired has a fascinating article about the botnet attacks on Estonia in April and May and an accompanying commentary by former intelligence officer Ralph Peters titled, "Washington Ignores Cyberattack Threats, Putting Us All at Peril",/a>.

It amazes me that the U.S. government [read more]