Q. Ive developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:
1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.
2. I simply change the n to any number for the ID and the nn to any number for the password.
3. Now I can store a Web site ID and password as, for example, Macys 522.
Say Macys wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macys Web site described as Macys 522. If you dont know my basic structure, the 522 means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.
Am I lulling myself into a false sense of security, or is this scheme a viable solution?
Bob L., Raleigh
A. Ive heard plenty of techniques for navigating the vast collection of usernames and passwords were all rapidly accruing, but this strategy, which makes use of the browsers bookmarking capability, was new to me. So I put Bobs approach to one of our regular experts, IBM Distinguished Engineer and IT Security Architect Jeff Crume.
Although Crume says this system is better than nothing, its not totally bulletproof.
First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack is not nearly as large it would be if special characters (like *, &, !, %, $) and mixed case alphas were used, Crume said in an email conversation. He added that length is a related concern, since longer passwords are harder to crack.
But Bob did point out that his passwords and usernames tend to be more complex and Crume said thats the magic word when it comes to account security.
The key to better security with passwords is complexity, Crume said. Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters.
Adding variability to both the password and the username helps with that complexity though, since it vastly increases the number of combinations a brute force attacker would have to try.
But reusable schemes are also risky because, as Crume points out, anybody who discovers your credentials on one site might be able to crack the code for the rest. At the very least, it would give him or her a head start.
Managing true password complexity is tough. Ive mentioned the use of a number of vault systems for storing large numbers of passwords in previous columns a strategy Crume highly recommends.
But in my view, what users really need is a little help from site developers. As many writers and technologists have pointed out, the username-password system is broken. It will probably be a while before something takes its place completely, but two-factor authentication can do wonders in the meantime. This feature, already an option via the settings on Google and Facebook accounts, requires users to enter a special code sent to their mobile devices in addition to a username and password.
Most sites, even popular ones like Twitter, dont offer this level of security. That fact was worth noting last week, when attackers gained access to the Associated Press Twitter account and broadcast a fake report about an attack at the White House. With more consumer pressure, its likely that two-factor authentication will become more common.
When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been seen with a number of high profile Twitter feeds, Crume said.
Send technology questions to firstname.lastname@example.org. Please include your name, city and daytime phone number. Sorry, we cant answer every question.