Passwords… Locked Doors, or Minor Inconveniences?  
     
  Greetings, NSDCAR members!  
     
  Most of us, over the years, have adopted a default password or password scheme that we use over and over, in the many different places our digital lives have taken us. How safe is this practice? Well, that depends on the password, how long it's been in use, with whom we've ever shared it, and other social factors. It's a safe bet to say that somewhere in your digital domain, there's a password that could use some beefing up, some creative alteration, or a whole new choice, to help you keep your personal information, messages, and files safe from prying eyes and idle fingers.  
     
  What makes a good password? First of all, and the most stringent criteria for testing the effectiveness of any password, is that it cannot be found in any dictionary. Modern hacker toolkits always include a brute-force password hacking program. This is a hacking "engine", if you will, that can generate the entire contents of the fattest dictionary on earth and throw it against a password-protected interface, parsing the password "guesses" into elements that, when combined, become the full password solution, and allow the hacker to gain entry.  
     
  Here's an anecdote for you… I once managed a computer network for a large health insurance company. We had hired a special email system administrator who managed only our communications infrastructure, on his own set of Windows NT servers. This gentleman took a well-earned vacation, but forgot that his newest mail server had just been put online, and that he had not recorded or shared the password for it, prior to his departure. Of course, that was the server that crashed, about two days into his vacation. Rather than attempt to reach him in the remote wilderness he was visiting, I knew that we would have to "hack" our way into this well protected server. The only advantage we had was physical access to the machine, which, in this case, was paramount. Off to the Internet we rushed, and quickly downloaded a copy of one of the more popular hacking tool-kits for attacking Microsoft-based systems. Within 10 minutes, we had a list of every password for every user who'd ever logged into that server, and most important of all, we had the Administrator password that gave us full access to the system and all of its settings and data. It was a most educational exercise for me, and I have never used a simple, word-based password since. And, my hairline receded another full half-inch as a result of the exercise. I look back fondly on my ignorance prior to that incident, and heave a big sigh.  
     
 

Passwords, at best, are a minor inconvenience to an experienced hacker. Maximizing the inconvenience, and the time and effort required to circumvent the password, are about the best protection anyone can add to this recipe. It's simply done, it's effective unless and until you become a real target of a concerted hacking effort, and it protects against the idle curious, the experimenting "student" hacker, or the mischievous little nerd with too much computer at his disposal.

Here's how:

Never use any dictionary word in a password.

Mix it up… combine numbers, symbols, and letters in nonsensical combinations.

Build in a scheme that lets you vary the password in different applications, without having to memorize a huge number of unique combinations.

Consider, then implement, a "pass-phrase" strategy. Instead of a password, use a sentence, like, "My Dog Has Fleas". Mix in some numbers and symbols and you're set, and it's easy to remember!
 
     
  For example: Your dog's name is Truffles. Your wedding anniversary is June 23rd. Combining these two factoids into an effective password is easy: Tr6u2ff3les. Now, you have a relatively secure password, and it can be manipulated by simply moving the digits around to produce several variations: T6r2UF3fles, tRu6F23fLeS, t6RufF23les. You get the picture, yes?  And if, in a "senior moment", you forget which variation you've used on a given interface, it's pretty easy to try all the possible combinations until you arrive at the one you used.  
     
  Many folks who have a few extra "trivia" brain cells, a common trait amongst geeks, will get really clever with their use of letters and numbers, using the number '3' as a substitute for 'E', and the number '6' for 'G', and so on. So, if your first name were "Geoffrey", your password might look like this: 63o44r37. That's "Geoffrey" spelled with numeric substitution. Pretty secure, not likely to be quickly guessed, and one could easily mix up the numeric elements to produce easy-to-remember variations, once again.  
     
  Of course, the big issue with passwords, for all of us, revolves around that one weak moment when we don't want to take the time to stop and log in to a computer, especially for one of our office-mates, or a relative who just needs quick access to something on the web, or whatever reason; we give our password away, and then fail to change it immediately afterwards. In office environments, the exchange and sharing of passwords often becomes a matter of expediency and convenience. The issue seems, on the surface, a minor one… "I trust that person, it's just a company computer, after all". How would any of us feel if our bank decided that gee, everyone who works here has a human resources file, and golly, we trust everyone that's in the building, so let's just leave the vault open all the time.  I'm not putting my hard-earned lucre in THAT vault!  Principles and habits can save us, or put us out of business… it's up to the individual.  
     
  Take a few moments, right now or real soon, and design a password "scheme" for your continued use, then STICK TO IT!  Make it a personal integrity issue that you just don't share your password with anyone, for any reason.  
     
 

Finally, the other end of the password journey, and the final act of ANY secured transaction... LOG OFF!!!  If you log into a system in your office, then go about your day with all your data exposed via your active user account, you might as well not bother with the passwords, in the first place.  And remember, if someone in your office does something criminal, using your account, it's traceable back to... YOU!  Use a password-protected screensaver, on a short timer, to protect your open desktop from idle eyes and fingers.  Who knows... that might be MY social security and bank account number on your screen, sitting there on display for anyone walking, standing, or just passing through within a few yards.  Until there's a gang of "deposit dreadnaughts" running around putting money INTO bank accounts, I'd rather not have that information exposed... how 'bout you?

  
     
  Your Association Staff have a watchword for 2006… it's "accountability".  Take a moment or three to become accountable for the safety and security of your digital gold-mine, and "safen up" those passwords, today!