Consulting, Publishing, Engineering

Password panic? Not necessary

While I completely agree that there is a lot of information that simply does not belong online, I’ve also seen a bit of overreaction lately against posting ANYTHING in the least bit personal. Tiffany Monhollan wrote a nice article over at Brazen Careerist recently, and while I agree that people need to be very careful about personal information, I do not agree that simply posting your cat’s name means that you are necessarily opening yourself to identity theft or cyber attack. Sure, you should keep your social security number private. And it’s probably not a good idea to post your name, address, and phone number all over the place.

The challenge comes when sites require us to choose “challenge” questions. You know the ones, where you put in your password, and then you have to give the site a secret answer to a question like “what’s your mother’s maiden name?” so that they can verify your identity in case you forget the password. OK, that’s actually several issues, isn’t it?

1. creating a password you aren’t likely to forget, but that hackers can’t guess
2. authentication of your identity without a password
3. choosing “secret” questions that make sense

Bruce Schneier has way more expertise in this area than I do, and he’s a good read no matter what security issue is at hand. One of the commenters on Tiffany’s blog recommends Bruce’s article about passwords. One of the reasons I really like Bruce Schneier’s work is that he advocates reasonable approaches. A 27-digit password isn’t very good if you (the authorized user) can’t remember it!

Another commenter on Tiffany’s post recommends Kevin Mitnick’s book “The Art of Deception” – a truly fascinating book about social engineering. Even Kevin, a world-class hacker/scammer/social engineer, admits that it doesn’t matter what electronic mechanisms you have in place, it is the human element that is most easily cracked. This is actually an entirely separate topic, and one I’ve written (and spoken) about in the past.

So. What’s the moral here? Make a strong password that you can remember but that doesn’t appear on the list of 500 most common passwords. There are lots of places you can find advice on how to make strong passwords, and they mostly agree on the following points:

Use letters, numbers, and punctuation marks.
Make your password at least 8 characters long.
Do NOT use your name or login as part of the password.
Don’t use common words – or swear words (which are more common as passwords than you’d think!)
Don’t use your family names (spouse, children, pets, etc.)

If you follow these rules, then it won’t matter if someone knows whether your cat’s name is Spartacus or Ghlaghghee, they won’t be able to hack into your bank account or whatever other info you’ve got online.

Sorry, comments are closed for this post.