Two Slashes

Since it’s a required part of my curriculum here at school, I’ve been taking a rhetoric class. Recently in this class, we were assigned a research paper on a category of problems in academia, something that we can observe and then propose solutions about. Considering the post topic and me in general, you can probably guess (at least partially) what problems I’m focusing on in my research. This assignment couldn’t come at a better time, as I’ve heard plenty of complaints in particular about password-related issues as of late. You see, the school I attend mandates yearly password cycling, and considering the timeframe at which they hand incoming freshmen their account information, it’s becoming the one-year mark for a lot of people. Mostly, every gripe I’ve heard centers around one of a few major issues:

• The passwords my university requires are much more complex compared to the passwords most people use in their daily lives.
• Most services don’t require password cycles every year, or…ever.
• Since most people keep the same password (or set of passwords) for everything, constantly forcing password changes forces people to forget their password more often since it’s not the same password as other things they use on a daily basis.

While these arguments are perfectly legitimate, the people attempting to use them as rationale against needing to change their passwords also are the same people you find in a typical setting, not groomed in any form of security beyond that of the idea that any password is a surefire protection. (Cue Morpheus’ voice…”Welcome…to the real world.”) Anyway, as part of my research paper, I decided to compare the three pages’ worth of requirements about our university passwords with the requirements used by what I thought to be popular web services. And, after a few hours’ worth of investigative work, I can sympathize with the people who think changing their password is a lot of work. In short, these services, which I thought probably had at least a slight pulse on the idea of security, are grooming their users to be lazy and very unprotective of their data and service access. I’ve put together a table that should at least give an overview of the services I selected (if you have suggestions for more, I can’t promise anything but would welcome the heads-up) and the security procedures they enforce:

The numbers in brackets above correspond to these quick side notes:

1. MySpace’s requirement is an in-between: at least one numeric and one alphabetic character must be included in the password; no requirement is made as to the case of this character, however.
2. Windows Live has two sets of requirements that depend on the services the user accesses. Typically, users only have a six-character requirement, but if necessary due to the requirements of an application they use, Windows Live will force all of upper- and lower-case letters, numbers, and a unique symbol, and mandatory password changes every 72 days. These 72-day password changes are provided as an option to non-qualified users.
3. eBay refused to accept the password ‘aaaaaa’ because it is very poor in security. However, ‘ababab’ works, which means that eBay offers at least a slight security check at registration.

Frankly, I’m very concerned with all of that red, and especially concerned with sites like Amazon, which allow you to store important credit card information in your account for easy checkout, and then allow me to log in with a capital ‘A’. Microsoft even surprises me (though in a good way), if you consider their forced-security dependency to be a good idea. (For once, Microsoft, I like.) Not that these sites and services even compare to the requirements for our university credentials, but it gives you an idea of just how absurd it is. Especially when I throw in the fact that a lot of these places have posted “suggestions” for creating a good and secure password, and then brush them all away in favor of some six-character string. So I apologize if I’m re-iterating what you already know or have seen, but after all of that, I think it’s important that people actually understand what good security is.

• The best passwords are not found in any published or publicly available work, be it a dictionary, your favorite action novel, or some random screenshot you found on Flickr. Don’t use anything important either, like a social security number. And anything personally identifiable or that has a direct reference to your life is out too; that means quit using your aunt’s birthday as a PIN.As one demonstration of coming up with unique but memorable passphrases, try to think of memorable snippets from your favorite written work (you’re probably double-taking right now, but continue reading). Now, develop your own personal algorithm for going through the phrase to select characters (hey, don’t be afraid of punctuation or numbers, because they help too and add uniqueness). For example, try taking the Fibonacci sequence’s digits and pulling those letters out. It sounds tedious now, but if you use the password regularly, your muscle memory will take over and you won’t even realize you’re entering the password anymore. At least, if you use it that regularly.
• NEVER use the same password in more than one place. There IS a reason for this, aside from “the man” trying to confuse you and prevent you from checking your mail; it’s compartmentalized security. If an attacker can compromise one account, and holds a password you use everywhere, you haven’t just handed him one site or a credit card, you’ve handed him your entire life. If that password doesn’t work somewhere else, the attacker’s got to go back to work and start all over again on the new site (if they’re indeed targeting you). If you can’t keep all of your passwords straight, get a trusted and notable password manager, and store your passwords with it. Some suites also provide you the added benefit of randomly-generated passwords like ‘Bs4&nd*D’ - but at the expense that you probably won’t remember them unless you use the application.

Considering these password recommendations are nearly timeless, it only makes me wonder when people are actually going to pay more attention BEFORE something bad happens to them. So quit complaining that you’ve got to change your password. Make it memorable, make it unique, and consider it worthy of a national secret. And for christ sake, ignore the fact that Google isn’t going to check for varied-case characters; force yourself to check for them. And a note to the few, the proud, the WordPress users: WP2.5 RC1 is nice, but I don’t think it’s ready yet. It’s got a few bugs, and I miss my old blue administration panel. I actually think it made more sense doing “Blogroll > Add Link” than “Write > Link” to add things to my blogroll.