Saturday, August 16, 2014

Forget Security

It's astounding the amount of useless, non-sequitor things I have trapped in my head. Sure, there are the times tables and proper way to address an envelope. But just ask, and with almost no hesitation I can also quote you the chorus of obscure Steely Dan songs ("Bad sneaker and a pina colada, my friend/stomping down the avenue by Radio City"). Or key lines from certain MASH episodes (Frank Burns to Margaret Houlihan: "It's nice to be nice to the nice."). Or the correct DOS command to list computer files in a widescreen mode page-by-page (DIR/W/P). It's sad to say, but no, I didn't Google a one of them.  

That's me. For you, it might be sports scores or players. Or Simpson episodes. Or sneaker designs. The point is that each of us is capable of maintaining multiple data points in our brains that are rarely germane to our everyday pursuits. And while they may not as important as memorizing the different nerves in the arm if you're a doctor, or the correct way to cite a prior ruling if you're a lawyer, it can be helpful. After all, if you can recall the combination to your gym locker or the exact address of your accountant without having to retrieve the cheat sheet from your wallet, it can save you a few minutes when you need to access the information. And so it used to be for passwords.

Passwords used to be about access, not security. We put them in place so that casual wanderers who got to the front door didn't just wander in. It was kind of like locking the door and taking the keys of a convertible, but leaving the top down. It wouldn't stop someone who wanted to pretend it was theirs or even hot wire it. But it deterred some smart-aleck from doing something stupid, like hopping in or taking a joyride, the very definition of a crime of opportunity.

Now, in the wake of the discovery of a billion plus passwords stolen by some Russian crime ring (yours and mine likely among them), experts are once again telling us all to step up our vigilance. More to the point, they are telling us to stop trying to remember our passwords by using simple, easy to recall combinations. No more Yankees1 for you. No, the smart thing to do is forget all that, and cede the task to an app or program. That way we can have a unique code for every different site, and each code can approach un-guessability in its design. So your Amazon key becomes 7sa^Js9#, while the one for the New York Times is n&n19!8H.

Sort of makes sense. But there's a dirty secret. Count the numbers, letters and symbols. In spite of the seeming complexity of the latter two, all three variants are still just 8 characters in length. And so, to a hacker, they're not that big a deal. There are various sites purporting to offer to test your password for crackability based on the program being used, the speed of the processor and so on. But even with their different results, the scale is instructive. So at one site, while Yankees1 will take just 2 seconds to break, the others will take just 2 minutes. That's right, about as long as it takes to read this column. So why bother?

It turns out that in password security, size does matter. Every extra character you add makes it more secure, even if it's just letters. So just typing 4 words in a row works. So while u&sk$SgG takes a few seconds to crack, glancingaskancemarcwollin would take 35 trillion years. Capitalize the first letter of each word, tack on 2014, and it goes to 37 nonillion years. That's a one with 30 zeros after it. Break that, Vladimir.

True, since the experts also say that you shouldn't reuse your passwords, you could have 10 or 20 or 30 multiple word combinations. So, yes, there's no chance I will remember them either, and yes, I still need a program to help. But it's far more secure than using the other resident eight digit combinations in my head.  So no more using the serial number of the Starship Enterprise. (By the way, it's NCC-1701, and no, I didn't need to look up that one either.)


Marc Wollin of Bedford is slowly changing all his passwords to make them longer. His column appears regularly in The Record-Review, The Scarsdale Inquirer and online at, as well as via Facebook, LinkedIn and Twitter.

No comments: