September 17, 2010

Google Logo Add Us On GoogleAdd SciAm

Password advice from the father of the firewall

By Larry Greenemeier

Join Our Community of Science Lovers!

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American

As more and more personal business is conducted online, passwords (make that dozens of passwords) have become a necessary evil of daily life. We all know the rules for coming up with good passwords, or at the very least we hopefully know there are rules—choose an alphanumeric combination, don't write it down, don't use it for multiple accounts, etc.

Despite this guidance, "people are lousy at picking passwords that computers can't guess, especially computers with multi-core processors," Bill Cheswick said at a cyber security conference held recently at New York Institute of Technology. Cheswick has some credibility in this area. In addition to his current position as lead member of AT&T Research's technical staff, he played a key role in developing the first firewall systems more than two decades ago.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

The cyber security pioneer ran through about a dozen different corporate password creation policies from a variety of companies and concluded, "These rules don't make anything more secure." Even the longest and most complicated password is useless if it fall into the wrong hands.

Cheswick offered instead his "non-moronic password rule": A password should be an alphanumeric combination that a family member or friend can't guess in five tries, and it should be complex enough so a person can't figure it out by watching you type it one time. If you need a reminder, rather than writing down the password itself, write down something that will remind you of the password.

It's also important to weigh the value of the information you are protecting. Cheswick breaks this down to three levels. The "who cares?" category is for any account that simply provides access to information, such as an online subscription to The New York Times. If someone steals the password, the most they can do is read the publication or perhaps fill out a survey, so feel free to reuse passwords for these sites.

Other accounts deserve more protection and their passwords should be created and guarded more carefully. On one level are accounts where it would be "inconvenient" if a password were stolen, but the consequences (i.e. someone ordering a book via your Amazon.com account) could be rectified with some effort. Accounts demanding the highest level of protection are those that enable you to access bank accounts, trade stocks or otherwise deal with financial matters.

Of course, the bad guys have all sorts of ways of stealing your log-in information, and many of these thefts are no fault of the password holder, Cheswick said. Some of the most common ways for passwords to be stolen are through keystroke loggers, phishing attacks and password database hacks.

Keystroke loggers are typically installed on a person's computer without their knowledge when they download software or images from unsavory or compromised Web sites. Phishing attacks are delivered via e-mails posing to be from your bank, credit card provider or some other seemingly trusted source. Clicking on links in these bogus e-mails will take you to equally bogus Web sites created to resemble a bank or credit card company's site. When you try to log in, your information is captured. Hackers often attack password databases (such as those maintained by financial institutions or Internet service providers) directly, where they can steal dozens or even hundreds of passwords.

In these cases, much of the security burden falls on your bank, Internet service provider or whomever else is in charge of protecting your information. One way for them to improve security is to limit the number of password guesses, locking an account if the limit is exceeded. Unlocking such accounts should also be carefully thought through. If a Web site offers a secondary question for authentication, that question should be related to the password rather than you yourself, Cheswick said, noting that it's not too difficult to figure out the "maiden name" of a person's mother.

Image courtesy of Potapova Valeriya via iStockPhoto.com

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots.

More by Larry Greenemeier

It’s Time to Stand Up for Science

If you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.

I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.

If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.

In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.

There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.

Thank you,

David M. Ewalt, Editor in Chief, Scientific American

Subscribe