≡ Menu

Cracking Passwords

Here?s a New York Times article about passwords.

The task of maintaining passwords can be a real bear. Every mom and pop website seems to require a user name and password. Ever since I forgot a root password 6 months ago (requiring me to reinstall the OS), I vowed more diligence about the matter. I kept a notebook of passwords (something that probably is not a good idea), and added to it periodically only to find that I was adding nearly a hundred passwords. The problem is that not only do you need to remember passwords, you also need to remember the user name you used as well as the email address. (When you forget passwords, they often ask you to submit an email address). I also send secure emails to myself using hushmail with the actual passwords.

I am pretty good at making strong passwords, although I have started using punctuation only recently for them. The article above mentions that people who use symbols typically use only @, & and the $, and shockingly that is true for me as well. I use a standard password for all my newsgroups and bulletin boards, another one for transactions, another for root accounts and an absolutely uncrackable one for my hardware router. One of my secrets is incorporating words of Albanian origin?surely no password cracker has dictionaries for that yet.

I am most frightened by the non-secure login screen for my yahoo accounts. I can login to email securely, but yahoo messenger does not have secure login. It seems that a person might be able to intercept a yahoo messenger login and then use it to access my free email accounts through non-secure login. (Note Written a month later: Well, yahoo has secure login after all. They also have a free service, zixmail for encrypting the messages as well as the login. The question then becomes whether people can remember to use these features.

Why is this important? By accessing my web-based emails, crackers gain the ability to change passwords to other accounts and to learn about user names and where I have accounts. Because ecommerce companies help with forgotten passwords by sending to the shopper a temporary password and/or a url for changing the account, any person with access to that email account would be able to do a lot of damage. For example, Amazon doesn?t require that you reenter the credit card number on an order, so as long as you gain access to a person?s web email account, you can charge anything you want.

What is the solution? Besides using hushmail for commercial transactions, one idea might be to use a secure yahoo account for commercial transactions, use different passwords for each ecommerce account and never use your chat messenger on your email account for ecommerce. I am not sure whether accessing my ISP’s pop server is secure, but I doubt it.

Unless a better authentication system has arrived (and it?s quite possible that MS?s passport is that system), the web will slowly become more impossible to manage, both from the consumer end and the business end.

{ 1 comment… add one }
  • Andrew 10/1/2008, 1:51 am

    Wow, your post is nearly 7 years old and not much has changed in terms of internet security – email is still insecure, and passwords are still sent in clear text form via email much of the time!

Leave a Comment

Next post:

Previous post: