10:13 AM
Connect Directly

How Obvious Are Passwords?

At the risk of being known as the "question-title guy" for blog entries, I read about this password-cracking site and found myself wondering what data security experts think about the way we devise passwords.

At the risk of being known as the "question-title guy" for blog entries, I read about this password-cracking site and found myself wondering what data security experts think about the way we devise passwords.A while back I was alerted to this blog entry by Bruce Scheiner. He suggests:

that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

So for a few years now I've done just that. Every once in a while I change all of my most sensitive passwords to long, randomly generated character strings, then keep them on a piece of paper in my wallet. That paper, by the way, does not tell which Web site the password covers, nor the user IDs: I just have to remember the order that I wrote the sites on there.

Of course, not too long ago, Scheiner's advice came back to haunt him, as you can see in this comment on a story regarding the recently busted Russian "spy" ring.

And, as I noted before, not all of my passwords are randomly generated, 14-character strings, only about four or five of them. That doesn't, of course, cover the wide range of password-protected sites I access. For other sites, I try to use random strings, but simply don't make them as long. They are written down as well, but not kept in my wallet, kept at home: I just have to get used to not accessing certain sites remotely. For some sites, though, I still have "lazy" passwords. I try to keep it to sites that don't have a lot of personal information on me, like news sites or hockey fan boards.

When our economy collapsed under the weight of bad loans, some pundits lamented the financial illiteracy of the average American. Proposals for mandatory classes in personal finance for schoolchildren were popular. Now, privacy is becoming big business, and our data is becoming a new sort of currency that must be managed responsibly.

Some sites on which I've registered require a non-numeral, non-letter character in passwords. This is a good habit to encourage. But often consumers click "Forgot my password" when they can't remember which "C" was replaced with "(". (Well, I shouldn't speak for everyone - just me, who's found himself there quite often.) One thing is for sure, however: Americans must begin to take this seriously as their data moves throughout the cloud as often as it does.

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.