17 February 2012

Passwords, PINs and IDs

A laptop keyboard
Welcome back. Did you happen to see the article "How Safe Are Your Passwords?" in the Winter 2012 Consumers’ Checkbook Update? (There’s a link to the article in my “P.S.” below.)

I know. Over the past few decades, there have been umpty-ump articles on passwords in every source known to readers. The table in this article caught my eye.

Hacking Passwords
Checkbook’s table provides estimates of how long it would take a hacker to guess your password, depending on how many, and the type of, characters you include in the password.
For example, if the hacker’s computer cranks out one million guesses each second, it would take about 0.01 seconds to guess a password (or ATM PIN) of four characters, all numbers.

But if your password has nine characters and if those nine characters include numbers, lowercase and uppercase letters, and punctuation symbols, it might take 19,985 years. Few hackers will wait that long.
There’s more to it, of course. A password with your pet’s name is going to be easier to guess than one with characters selected randomly from the keyboard. Since I wouldn’t guess that random selection either when I forget the password tomorrow, I lean toward one of the ways the article describes for forming a password. 
1) Start with a secret phrase you’d never forget. I might choose, “Henry-The-Cat must go!”

2) Now take the first letter of each word in the phrase to be the core of the password. My first letters would be HTCmg.

3) Finally, add one or more numbers and symbols. Although my phrase deserves the exclamation point, a question mark is easier for you to see: HTCmg5?
Cool, huh?

So Many Passwords

Working for the government, I was required to have different strong passwords for different systems and to change those passwords periodically. Being in the password groove, I would come home and put still another strong password on my home computer.

Did I really need to protect my home computer files from my wife or the cats? I could understand if I was dragging the computer around with me, but my computer is an old, tired, undraggable desktop.

Suppose a burglar broke into our house and grabbed my computer. Are burglars good hackers? No; their skill set involves breaking and entering. They would try, probably unsuccessfully, to sell my computer.  

Suppose my computer, with its less than strong password, somehow found its way to a genuine hacker. Will the hacker enjoy my draft posts for this blog? Will my email titillate? Will the photos of Henry cause the hacker to send the burglar back to our house to steal Henry? Please, to everything!

There are no passwords floating around in my computer files and not a lot of any value (apologies to everyone in my email address book). Maybe the hacker would get into my Netflix account, check my queue and pick more exciting movies. Hey, it’s my wife, not me, who likes all those rom-coms (i.e., romantic comedies).

Identity Theft 

My latest Credit Report noted that the FBI named identity theft as the fastest growing crime in America. It was only a promotion, but it gets your attention. I buy things online, though I’m hesitant to do more than offer a credit card, even when I see the “s” in https://. Submit my Social Security number? Hmmm…how times have changed.

A modified view of Warren’s long-ago
faculty identification card
When I was an undergraduate in the 1960s, the university took our Social Security number to be our student identification number, which was used for everything. That practice didn’t change for years, as my faculty ID attests.

Not to downgrade dumpster diving and the like, I guess it wasn’t as easy or rewarding to steal someone’s identity without all of today’s online everything.

Wrap Up

The Internal Revenue Service requires taxpayers who file online to use a 5-digit Personal Identification Number (PIN) as an electronic signature.

If a hacker gets a shot at your 4-digit ATM PIN, it might take only about 0.01 seconds to guess your number; but if that hacker gets a shot at your 5-digit IRS PIN, well, relax. Guessing that would take 10 times longer--maybe one-tenth of a second.

Oh stop worrying! You know hackers would never get into a government database.
Thanks for stopping by. I’ll write again in about a week. 

I subscribe to Consumers’ Checkbook, but you don’t have to be a subscriber to view the article on passwords: http://www.checkbook.org/cgi-bin/memberonly/tips/How-safe-are-your-passwords/wdc/article.cfm

Regarding identify theft, you might check out the Federal Trade Commission’s website on the topic: http://www.ftc.gov/bcp/edu/microsites/idtheft/

No comments: