Passwords to Keep Your Data Secure

Passwords are what protect your data, so I was interested when a discussion recently turned to secure passwords that are easy to remember. Those are 2 key considerations: The password must be difficult to guess but easy to remember. If it's not easy to remember, you'll write it down. That makes it easy to find and that is, of course, exactly what you don't want. One of the participants in the discussion had a simple, elegant solution that I'd like to share with you.

I've used the same simple password on most things for a number of years, but coming up with one like mine can take a bit of thought. However, it's A, non-obvious (not a birthday or the like), B, something that has about four permutations that can easily be changed but which still leaves me with much less to remember.

I got the idea from a friend of mine who used to work at a bank, where all personnel were required to change their personal passwords once a month. She used her long-deceased father's now-obsolete Social Security number, which she knew as well as her own, spelling out one number in it and changing back and forth between which numbers she spelled monthly. (Example: one234567891 and 1two34567891.) She could also cap or not cap one or two letters: enough permutations to make changing it easy, but few enough not to make remembering a problem. Mine's less numeric but is based on a similar principle.

I doubt if this tactic would work against password-hacking software, but this password is NOT used for, say, my bank account PIN or the like, and I doubt if people would want my password for logging into, say, my Yahoo account. However, I will ask the technical people among us (waving at Bill) if there are unseen weaknesses in my strategy.

You lookin' at ME?

Permutations are good. The one you describe is particularly good because it creates a password that's easy to remember, complex, and hard to guess.

The "best" passwords from a technical standpoint are at least 15 characters long and contain upper case letters, lower case letters, numbers, and symbols. The resulting number of permutations is puffickly huh-yooge (with apologies [once again] to Stephen King). A password like that would have 15 to the 72nd power permutations (26 lower case letters, 26 upper case letters, 10 numbers, and at least 10 symbols that are legal to use). Puffickly huh-yooge.

The trouble is that these passwords tend to look like this: U85q#293pTMTY6h or KD&NL!*^I6%[1ot.

There's no way that a human will be able to remember either one of those. The password will be written down on a Post-It and stuck on the monitor. More careful people will hide it in the desk drawer. Some will put it under something in the desk drawer.

Passwords like that may seem smart, but really they're dumb.

I have used passwords that include the name of a long-dead cat, the address of the house where I grew up, and a daughter's nickname backward. I can even leave myself notes ("St. C cat, Bellefontaine address, and #1 dot nickname"). I'll know exactly what that means, but I challenge anyone to figure out the components I've provided. I could obscure it a bit more by writing (WOMP cat, 1964 address, EL animal nickname). So now you have two sets of clues. Can you figure it out?

In this case, the password would be Finster517Lizzard. And, no, I don't use that password anywhere, and I never have. Finster is a cat who came to live with me in 1972, when I was working at WOMP Radio; the name came from Rocky and Bullwinkle. The house I lived in as I was growing up had a street address of 517. Because there are so many nicknames for Elizabeth, it's unlikely that anyone would guess that one we used occasionally was Lizard. Easy for me to remember; hard for anyone to guess.

I've seen recommendations for long plain-text passwords (length is more important than using multiple character sets), so passwords like these would be secure even though a password checker would say that they're not:
ItWasADarkAndStormyNight
TwasBriligAndTheSlithyToves
FourScoreAndSevenYearsAgo
OutOfTheNightThatCoversMe

Or, if you want to get tricky, append your college apartment's address:
ItWasADarkAndStormyNight1653
TwasBriligAndTheSlithyToves1653
FourScoreAndSevenYearsAgo1653
OutOfTheNightThatCoversMe1653

No, 1653 was never my address anywhere. No, I don't use any of those bits of text for any account.

For a lot of low-priority accounts, I have a single, relatively short, password that doesn't change. Eventually I started adding a prefix to add a bit of security. I try to create secure passwords, but I don't change them regularly and I don't spent a lot of time worrying about them. If you keep rogue applications off your computer (so far I've been successful at that) relatively simple passwords are sufficient. And if you allow your computer to be compromised, even KD&NL!*^I6%[1ot won't save you.

Oh, No! They're Suspending My Internet!

That's what the notice said. It had been trapped in my spam slop bucket and I was about to delete it because it had sailed into my harbor waving several red flags. Then I decided to take a closer look at it because I wanted to see what the spammer was up to. No good, clearly. I'll dissect it on this week's program.

Click for a larger view.You can probably spot several errors immediately. Let's go line by line.
Click any of the images for a full-size view.

Your internet access is going to get suspended has one large error and one subtle error. "Internet" is a proper noun, so it should be capitalized. There's also no period at the end of the sentence, but in this post-literate age, I suppose expecting one would be a bit much. But "is going to get suspended" just isn't good business English. A real ISP would have lawyers who look over these standard messages and that kind of language just wouldn't make it through.

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. Buy a dictionary, fool! The word is "consortium", not "consorcium". The rest of the sentence is ungrammatical: Consortiums aren't "made", but "set up" or "established" and the comma between "authors" and "artists" should be an "and".

We conduct regular wiretapping on our networks, to monitor criminal acts. Wiretapping is illegal, except when conducted under the warrentless wiretapping rules current in force. In any event, no ISP can conduct wiretapping on its own. There's also an unnecessary and ungrammatical comma in the sentence.

We are aware of your illegal activities on the internet wich were originating from. We're back to lowercasing "Internet" and apparently the spam phisher wanted to send a domain name or some other type of identity at the end of the sentence. The fact that he doesn't know how to operate his own little program is another large red flag.

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended. If you have 6 of something (avocados, camels, months) you have a plural, so the noun following "6" should be plural. Dumb mistake. The next sentence just doesn't make sense as written; "of" should probably have been "or". More flags.

Sincerely
ICS Monitoring Team

More Clues

Where has this message come from? Canada. The company that provides my Internet access is headquartered in Denver and the last time I checked, Denver was still part of Colorado and that was one of our western states, not a province of Canada.

Click for a larger view.While the phishy spam was in my spam trap, I took a look at the message source and observed a zip file. That's the attachment that's referenced in the message. I assumed the zip would contain a Trojan horse that would try to turn my computer into a zombie, and that's exactly the case. AVG Antivirus wouldn't let me take a look at it.

Click for a larger view.I took a look at the message source. What you see at the right looks slightly like a redacted FBI report obtained under the Freedom of Information Act, except that the FBI would leave only a few words visible. I've highlighted two sections in yellow.

Who is Craig Hall? Actually, the question should be "What is Craig Hall?" Craig Hall is a student living facility in Chico, California (which is just down the road from Harpo, a few miles from Zeppo, and adjacent to Groucho.) That "joke" gets very low Marx. Craig Hall apparently had nothing at all to do with any of this; it was just the domain name forged as the "from" address.

This one was just too easy.

Political Comments and TechByter Worldwide

Last week I mentioned in passing that I would address the topic of politics this week. By way of background, I received two gently worded complaints about my discussion of the break in at Sarah Palin's Yahoo e-mail account. As part of that report, I mentioned that the use of such an account for conducting state business is illegal. Two people felt strongly enough about that to suggest political motivations for the story. It's really simpler than that, but also more complicated.

As I told one of the writers, I hesitated when writing that story, but it's the same story I would have written if it had been a Democratic governor of a state. Politics makes no difference in this story. It's dumb for an elected official to use an e-mail account that is not under government control for government business. It's also a violation of the law to hack into someone else's e-mail account and I hope that whoever did it will be identified and prosecuted.

But I can understand why someone might think that this was yet another instance of my interjecting a political comment into a report that shouldn't be about politics. This is, after all, a technology report and I have made certain statements that were clearly political in nature. I shouldn't have done that, I apologize for slipping up, and I promise to try harder to avoid them in the future.

As I said to the other writer, the occasional outbursts may be symptomatic of being told, for the past 8 years, that I'm a disloyal unpatriotic slug who probably shouldn't be allowed to breathe. (Yes, that is a bit of hyperbole.)

So, I'll omit the gratuitous comments, but when politicians do uncommonly good or uncommonly bad things that involve technology, I won't hesitate to mention them.

Nerdly News

If You're Thinking About a New Mac Powerbook ...

You might want to wait just a bit. Like maybe until next Tuesday. I hereby predict that Apple will have some news that will interest you then. And, no, I'm not psychic. Or psycho.

Late last week, Apple announced plans to announce something next week. This is a trick that they have learned from politicians: You hold a news conference to announce that you will have something to say at a later date, so you get two stories for the price of one.

The real announcement is scheduled for the day after Columbus Day, Tuesday, October 14th, and the topic probably will be notebook computers. Not that Apple has ever employed a red herring strategy, but an image with the announcement shows a notebook computer and includes the subtext, "The spotlight turns to notebooks." So I think I'm fairly safe in making this prediction.

The event will be held in what Apple calls its Town Hall, which is in Cupertino, California, at Apple's main campus.

The online rumors suggest that there won't be any large cosmetic changes, but that Apple will announce more efficient methods of assembling computers (in China). Another big (or is it little?) change is rumored to be swapping out the full-sized DVI connection with a mini-DVI connector.

Piracy Really Hurts People ... Doesn't It?

Well, actually, no. Early on, I bought the entire argument that sharing songs was illegal, immoral, unethical, nasty, and one sure path to hell. Now I'm not so sure, and I haven't been for a long time. Yes, I have downloaded some content of questionable origin, but when I find something that I really like, I buy it. Research suggests that I'm not alone.

The US Chamber of Commerce is trying to push through legislation that's even worse than the Digital Millennium Copyright Act (DMCA). The claim that piracy has cost the US 750,000 jobs and has caused $250 billion worth of financial losses. Could we have some figures instead of conjecture? Apparently not. The letter from the US Chamber of Commerce doesn't cite any sources for its figures, which means that the "estimates" may well have been made up by the US Chamber of Commerce.

Don't get too excited about this nonsense, though. The US Chamber of Commerce was simply mouthing support for the PRO-IP bill (which stands for the cutesy Congressional name, "Prioritizing Resources and Organization for Intellectual Property Act”.) This is a bill that seems to be reincarnated every session of congress. Fortunately, the House and Senate have enough members with enough brain cells that the bill dies every time it surfaces.

A recent Ars Technica article sheds a little light on the numbers. If you're an economist, you might already know that $250 billion is more than the combined US revenue of the music, movie, and software industries. That would make it difficult for piracy to cost $250 billion since people are still buying CDs and DVDs and they seem to be going to theaters.

But what are facts among a few lobbyists?

The Weekly Podcast

Podcasts are usually in place no later than 9am (Eastern time) on the date of the program. The podcast that corresponds to this program is below. The most recent complete podcast is always located here.

Search this site: Looking for something you remember hearing about on TechByter Worldwide? Search me.
Subscribe to the newsletter:
 
Type your email to join Tech Corner today. • Hosted By Your Mailing List Provider
Subscribing to the podcast: I recommend Apple's Itunes for podcasts. Itunes will also install the latest version of QuickTime. The program is free. Need instructions?
Privacy Guarantee: I will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.
How the cat rating scale works.
Do you use a pop-up blocker? If so, please read this.
The AuthorTangerineThe author's image: It's that photo over at the right. This explains why TechByter Worldwide was never on television, doesn't it?
Feed the kitty: That's one of them on the left. Creating the information for each week's TechByter requires many hours of unpaid work. If you find the information helpful, please consider a contribution. (Think "NPR".)

My attorney says I really need to say this: The TechByter Worldwide website is for informational purposes only. Although I strive for accuracy, I cannot assume any responsibility for its accuracy. Any actions you take based on information from the podcast, streaming audio, or from this website are entirely at your own risk. Products and services are mentioned for informational purposes and their various trademarks and service marks are the property of their respective owners. TechByter Worldwide cannot provide technical support for products or services mentioned here.

If you're still reading, you're most thorough!

This is the only ad you'll ever see on this site. It's for my website host, BlueHost in Orem, Utah. Over the past several years, they have proven to be honest, reliable, and progressive. If you need to host a website, please click the banner below to see what BlueHost has to offer.
BlueHost
TechByter Worldwide receives a small advertising payment for each new client that signs up with BlueHost but I would make the same recommendation even if the affiliate program didn't exist. (If you don't see a banner ad above and you would like to know more, this link takes you to BlueHost.)

TechByter Worldwide is committed to maintaining appropriate technical standards:

Valid CSS! Valid RSS

Still here, are you? Well, then, if you really must have something to read, please examine the official TechByter Worldwide disclaimers.