Network News

X My Profile
View More Activity

Remembrance of Things Password

As I was working on last week's review, I had to test those two HP laptops on an old wireless network at the Post's offices "secured" with a 26-character WEP (Wired Equivalent Privacy) key.

Being 26 characters long, and being stored in hexadecimal notation (the numbers 0 through 9 and the letters A through F), these keys ought to defy any attempt at memorization. (The simpler, human-readable passwords of WPA-encrypted networks -- not to mention their much greater security -- explain why you should upgrade your network from WEP to WPA if you haven't already.)

And yet as I started to type this password for the fifth or sixth time in a row, I felt its random sequence of numbers and letters start to imprint itself upon my brain. I didn't input it enough times for those 26 characters to finish taking up residence inside my noggin, but I know it's possible: I once had the equally complicated WEP key for my home network memorized in full. (Let's see: 98141fefbe... oh, hell, I think I can still recite the thing. That's pathetic.)

Yesterday, I had the opposite experience when our office's foolish login-expiration policy -- the bane of my existence and Marc Fisher's alike -- forced me to come up with a new password. This policy's pin-headed requirements (if I remember them all correctly, the new password can't be one you've used in the last three years, can't be a word in the dictionary, must mix upper- and lower-case numbers, and must include at least one number and at least one symbol) essentially mandate something no one can remember without practice.

You can guess what came next: I wrote down the new password. It's saved on my phone, where I can look it up until I've succeeded in memorizing this phrase. Then I can delete that note, but only if I remember to do that!

What's the most esoteric password that's ever stuck itself into your head? What do you think you could accomplish with those brain cells if they weren't busy storing random strings of numbers and letters?

By Rob Pegoraro  |  June 17, 2008; 9:03 AM ET
Categories:  Digital culture  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: FCC To Clear Sirius-XM Merger For Liftoff
Next: MySpace's New Look Seems the Same Old Mess

Comments

I don't know if this is esoteric, but I still remember my CompuServe password from the 1980's and I closed my account there at least five years ago. stack*austere

Posted by: Art | June 17, 2008 12:30 PM | Report abuse

I remember a 16 digit credit card number from 20 years ago, when I called in to buy concert tickets.

Easy to remember password, that passes all the rules, for Marc Fisher:
Start with his last name: Fisher
Replace the "i" with a "!": F!sher
Append year and quarter(82):F!sher82.
Every three months change the quarter (to F!sher83, F!sher84). Next year, start off with F!sher81.

It has upper and lower case letters, numbers, a special character, is 8 characters long, is not subject to dictionary attacks, and, most importantly, is easy to remember. Seriously, all he has to remember is the quarter and year.

I've been running this plan for my basic password for close to 20 years now. That is, I have a standard password, which I vary for the situation. This also allows me to write down the password (in a file called "passwords") in a way I can figure out, but which others won't, such as, for example:
"The usual, ! for the first i, 1 for the second, append full year and 2 digit quarter, double first 2 letters."
"Mississippi" thus becomes "M!ss1ppi200802"

Posted by: wiredog | June 17, 2008 1:21 PM | Report abuse

Oops: "Next year, start off with F!sher81." Should be "Next year, start off with F!sher91."

Posted by: wiredog | June 17, 2008 1:22 PM | Report abuse

Longest password I've ever used was a line of poetry transliterated poorly from a non-Latin foreign language.

Posted by: dagwud | June 17, 2008 1:29 PM | Report abuse

I usually vent my spleen at the inane password policies (especially for non-financial logins.. I mean, rilly, why must my hairdresser's be more secure than my Schwab account?) with variations on wiredog's suggestion:

uB@st@rds1!

made me happy to type, for example. And the one time I had to call tech support, I gleefully told him my password and then said, "now, replace the As with..."

Posted by: Bush -- not related | June 17, 2008 4:29 PM | Report abuse

My favorite password is for my home router.
I take a combination of family names and birth years, in no particular order. This gives over a 20 character password that takes no effort to memorize for my wpa encrypted network. Such a fanciful security measure!

Posted by: badness | June 17, 2008 4:38 PM | Report abuse

Yeah, that password policy is inane, but at least you guys don't have e-mail jail. This policy, found at Goldman Sachs, locks your e-mail account if you go over quota. Since the quota is relatively small and these people often receive hundreds of e-mails a day, many containing large (and useless) attachments, you can go into e-mail jail multiple times a day. Need to send an important e-mail to a client from your Blackberry when you are out of the office? Not if you are in e-mail jail!

I've yet to hear a compelling reason for this infuriating policy.

Posted by: slar | June 17, 2008 5:07 PM | Report abuse

The logins at Independence Air were our employee numbers. I still occasionally sit down at my desk at work in the morning and type in my IDE id before I realize it. I loved my job there.

Posted by: ~sg | June 17, 2008 8:19 PM | Report abuse

-sg: We loved your airline too... best flights to Piedmont Triad, NC from DC I've ever had! (US Airways always left something to be desired...)

Posted by: Jason S | June 17, 2008 9:03 PM | Report abuse

I can still remember the VIN from a '73 Dodge Dart that I haven't owned since 1977 (LH23G3R245809, for the record). I've tried forgetting it, but I guess my brain is running with a limited account and I'm not allowed access to that particular memory cell.

Posted by: Steve | June 17, 2008 9:52 PM | Report abuse

One problem with passwords is that they keep guilt-tripping us about how we are supposed to use a password which is easy to remember, but hard for someone else to guess. The human brain just doesn't work that way; a password which is easy to remember is easier to guess (assuming that you don't go through contortions).

Although the concept has its drawbacks, I have had good results with a PASSWORD UTILITY which stores passwords in your computer, encrypted and password protected. You simply copy and paste it into your bank account, or whatever. It will easily generate pseudo-random passwords which look like this: vO1CDQ92OaA3GIk6 (not an actual password). It is a strong password which would take centuries to crack, if not longer. You can easily generate a gazillion passwords, each different from the others. The utility I use is "Password Safe," written by security expert Bruce Schneier. One drawback is that it can be difficult to move the executable file from one computer to another.

Thomas L. Jones, PhD, Computer Science

Posted by: Thomas L Jones, PhD | June 18, 2008 12:21 AM | Report abuse

r0bpe60rar0 is my favorite esoteric password.

Posted by: Nea1 Stephens0n | June 18, 2008 9:00 AM | Report abuse

Given physical access to a Windows computer I could crack any account passwords on it which are only letters and numbers in about an hour, using nothing but freely downloadable software. More complex passwords are possible with sufficient disk space and money for the better rainbow tables. Chances are most people's Windows account password is the same password they use for everything else...

In organizations with no password policy at all, many people will use stupid things like their username or "1234" as their password, all easy to guess. And weak passwords have historically been one of the biggest causes of security breaches (if not the biggest).

I'm not a fan of password expiration either, but it's a crutch put in place because the security of a password cannot be guaranteed. Given sufficient time, eventually one of an organization's many employees will use a computer infected with a keylogger to check their email, or some other stupid event which compromises that password with no way of anyone knowing (and it only takes one). Unfortunately, using simple numeric changes to a base password circumvents this protection because the rules for how the numbers change can be easily guessed (I admit, I'm guilty of this one too!)

I think the real solution is to move away from passwords entirely and toward a universal token- and/or certificate-based authentication mechanism. But even those systems will have their share of challenges, and an increased risk of fraud, unless the user community is trained in the different security measures they need to take.

Posted by: BR | June 18, 2008 9:25 AM | Report abuse

Rob ---- I just went to the Dell and Toshiba sites....no more laptops with XP!! Dell's last day is today. Toshiba's is on June 30. Argggghhhh. Can you provide any hope for those of us wanting to buy a laptop with XP for someone -- in September!?!?

Thanks!

Posted by: rjrjj | June 18, 2008 12:57 PM | Report abuse

I'll submit my usual comment about using Bruce Schneier's PasswordSafe on my PC, and its Java cousin PasswordSWT on my OSX Mac (they both use the same encrypted database).

http://passwordsafe.sourceforge.net/

Remember one password (make it good!) and you have access to the encrypted userids & passwords in the Safe.

Much better than literally writing down the passwords, or 'hiding' them on a yellow sticky under your keyboard.

Chris

Posted by: chrisviking | June 18, 2008 2:12 PM | Report abuse

Looks like Verizon full use of Newsgroups is a thing of the past. I Got this from Verizon yesterday.

Dear Verizon Online Customer,

As a Verizon Newsgroup service user, we wanted to let you know about some important changes that we will soon be making to our Newsgroup service.

On June 24, 2008, we will be modifying our Newsgroup offerings to only offer groups in the Big-8 Newsgroup hierarchies, which are listed below. The 0.verizon.* newsgroup hierarchy will also continue to be available. Users will not be able to post or download from any other newsgroups using our Newsgroup service.

comp.*
humanities.*
misc.*
news.*
rec.*
sci.*
soc.*
talk.*

More details regarding the Big 8 newsgroup hierarchies is available at: http://www.big-8.org/.

This change will not affect your Internet access service. If you would like to subscribe to newsgroups other than those we offer, you will need to subscribe to a separate commercial news service. Please note that your use of any such service is still subject to our Terms of Service and Acceptable Use Policy.

There are no changes required to your software, but you will need to unsubscribe from all Newsgroups other than the Big 8 hierarchies and the 0.verizon.* hierarchy noted above. The following link explains how to subscribe and unsubscribe in Outlook Express:

http://support.microsoft.com/kb/171190

IMPORTANT: If you continue to subscribe to unsupported newsgroups, you may experience poor computer performance and slow throughput speeds. Failure to unsubscribe may also interfere with the functioning of the Verizon network or use of the network by other Verizon users, which is a violation of our Acceptable Use Policy.

We appreciate your business and look forward to continuing to serve you in the future.

Sincerely,


Verizon Online

Posted by: Dave - Harrisburg PA | June 18, 2008 2:24 PM | Report abuse

I like to take a word and a number sequence and intersperse them... so

375408 (our phone number in Rio in the 50s)
Brasil

B3r7a5s4i0l8

Change the a to @ or the i to ! if required.

But really like wiredog's suggestion.

Posted by: Rosie Win | June 18, 2008 2:28 PM | Report abuse

Out of frustration I have also resorted to the "vent your spleen" method, such as thisisriduculous, notagain, rukidding? or inserting the entities name into the blank for ___sucks!

I would be dead without Roboform. It is a lifesaver!

I would say that 98% of any given website I access throughout the day requires a login and password. And that may not be quite so bad if you also didn't have to provide your name, address, phone, etc just to get access to read the darn site. Why do I have to "register" with each website and decline their newsletters and special offers, etc just to get a login? Especially since once I actually get past the front gate I may not even want to go there again?
I usually resort to fictitious info such as 1313 Mockingbird Lane (Munsters). Which in itself is just stupid because the sites just want the blank space filled in rather than having actual correct data. All they are doing is forcing us to find ways around it than supply legitimate info.

Posted by: OU812 | June 18, 2008 6:01 PM | Report abuse

Another strategy I use is to spell the letters of one password to get a new one. So axc36! becomes ayexsee36!. If you plan ahead and use strings like bang or dot then you can also reverse the mapping. I now have a suite of alternatives that my fingers can try without involving my brain at all.

Posted by: Pat | June 19, 2008 12:42 PM | Report abuse

The F!sher technique would not work on some of the systems I have used, which in addition to the above-listed requirements, also required that your password not have more than three characters in a row in common with any previous password (specifically to keep you from doing this kind of thing where if someone knows your password once, they can guess it going forward).

I have typically used either a life event or holiday in the vicinity of the password change. Like if it's around Easter, it might be Eggs23, or nearer St. Patrick's Day it might be Green17. Substituting numbers for letters makes these better.

Posted by: dn | June 19, 2008 3:18 PM | Report abuse

Rob;

just do this:

1. let ABCDEFGH be your favorite passwd (not really strong ..)

2. insert a `0' somewhere - say right in the middle: ABCD0EFGH

3. by the same token, let HGFE0DCBA be a second password, "sufficiently distant" from the first (let's call it `temporary', for reasons we see in a moment);

4. next time you are asked to change your passwd, you may not plainly put a `1' in place of the `0' of the first passwd, since it is your passwd client that checks for "sufficiently distant" passwds. And clients can do this, because they have the old/new passwds cleartext (you typed them both, on request);

4. so you type in the temporary passwd, which turns out good.

5. tomorrow you change again the passwd.

If you type ABCD1EFGH nobody should complain: neither your client, since the new passwd is sufficiently distant from the temporary one that you typed yesterday (HGFE0DCBA); nor the server, since it has access (or it should have access) only to the passwd hash - which by definition transforms strings close to one another (as ABCD0EFGH and ABCD1EFGH in fact are) into very distant ones.

6. next time you are requested to change the passwd, your temporary will be HGFE1DCBA, and so on.

Got the trick? What have you obtained? you can keep your favorite
passwd (well, 2 passwds) for a long long time, by just alternating them and incrementing a little number from time to time.

It should work. If it doesn't, and somebody complains that - say - ABCD0EFGH (your FIRST passwd) is too close to
ABCD1EFGH, your THIRD passwd, ... well perhaps somebody is keeping cleartext passwds in the wrong place.

bruno

Posted by: Anonymous | June 20, 2008 9:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company