Stump the Geeks

Stump the Geeks: No foolproof solution for protecting your online passwords

April 28, 2013 

Q. I’ve developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:

1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.

2. I simply change the “n” to any number for the ID and the “nn” to any number for the password.

3. Now I can store a Web site ID and password as, for example, “Macy’s 522.”

Say Macy’s wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macy’s Web site described as “Macy’s 522.” If you don’t know my basic structure, the “522” means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.

Am I lulling myself into a false sense of security, or is this scheme a viable solution?

Bob L., Raleigh

A. I’ve heard plenty of techniques for navigating the vast collection of usernames and passwords we’re all rapidly accruing, but this strategy, which makes use of the browser’s bookmarking capability, was new to me. So I put Bob’s approach to one of our regular experts, IBM Distinguished Engineer and IT Security Architect Jeff Crume.

Although Crume says this system is better than nothing, it’s not totally bulletproof.

“First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack is not nearly as large it would be if special characters (like *, &, !, %, $) and mixed case alphas were used,” Crume said in an email conversation. He added that length is a related concern, since longer passwords are harder to crack.

But Bob did point out that his passwords and usernames tend to be more complex – and Crume said that’s the magic word when it comes to account security.

“The key to better security with passwords is complexity,” Crume said. “Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters.”

Adding variability to both the password and the username helps with that complexity though, since it vastly increases the number of combinations a brute force attacker would have to try.

But reusable schemes are also risky because, as Crume points out, anybody who discovers your credentials on one site might be able to crack the code for the rest. At the very least, it would give him or her a head start.

Managing true password complexity is tough. I’ve mentioned the use of a number of “vault systems” for storing large numbers of passwords in previous columns – a strategy Crume highly recommends.

But in my view, what users really need is a little help from site developers. As many writers and technologists have pointed out, the username-password system is broken. It will probably be a while before something takes its place completely, but two-factor authentication can do wonders in the meantime. This feature, already an option via the settings on Google and Facebook accounts, requires users to enter a special code sent to their mobile devices in addition to a username and password.

Most sites, even popular ones like Twitter, don’t offer this level of security. That fact was worth noting last week, when attackers gained access to the Associated Press Twitter account and broadcast a fake report about an attack at the White House. With more consumer pressure, it’s likely that two-factor authentication will become more common.

“When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been seen with a number of high profile Twitter feeds,” Crume said.

Send technology questions to stumpthegeeks@newsobserver.com. Please include your name, city and daytime phone number. Sorry, we can’t answer every question.

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service