[Masthead] Fair  
High: 77°F ~ Low: 51°F
Tuesday, Sep. 27, 2016

What's the password?

Posted Wednesday, April 14, 2010, at 4:38 PM

A guy named Cormac Herley, who is a Principal Researcher for Microsoft Research, says that looking at the big picture might lead one to believe that all this worry about keeping our computers secure could be a waste of time in the long run. I'll muddle his conclusions with the following scenario:

Let's say I'm an evil computer hacker. Let's say my name is Balthazar Squidge, because that sounds like a name Charles Dickens would make up for an evil computer hacker. Let's say I have a thin mustache and a goatee, because that is the facial hair fashion among evildoers who don't opt for the full bushy beard.

I want to gain access to your computer for purposes of doing evil, because being an evildoer, evil is what I do. How am I going to go about it? You're pretty savvy, after all. You've got all kinds of filters and blockers. Your passwords are seventeen letters long and include Cyrillic characters. Every time you want to log into a service you have to have your password reset, because even you don't know what your passwords are.

Well, I could use the enormous supercomputer in my underground lair to crunch through all possible character combinations until I turn up your passwords (after first trying "mypassword," because it's worth a shot). I could hire a beautiful Russian lady or ruggedly handsome Brazilian samba instructor to befriend you, slip something in your vodka martini and then, while you slump across your desk, download your hard drive onto a solid-state storage device sewn into one of her provocative foundation garments or one of his alligator shoes.

Or on the other hand, I could write seven lines of code that will email me all your passwords, then offer it to you for download inside a screensaver of a cute kitty. There. Mission accomplished and I can sell my supercomputer and use the money to wine and dine the beautiful Russian lady. The Brazilian can get his own girl. But I'll pour the drinks if you don't mind, vozlyublennyĭ .

Changing your password regularly only helps if someone gets your password and then waits until you change it to try to use it. And all that worry about keeping up with complex and secure passwords takes a lot of time, and leads to forgetting them, which takes up more time--yours and the IT person who has to deal with you about it. Mr. Herley points out that from a strictly economical standpoint, time and effort expended in trying to prevent a security breach (which probably isn't going to happen anyway) can cost more than repairing the damage caused by the breach if it happens. Which it probably won't anyway. He says that the average user doesn't know enough about computer security...and doesn't need to.

For instance, let's say you get hold of my Facebook password and bust into my account. Then you perpetrate a common Facebook scam: You send my "friends" a message, ostensibly from me, saying that I am in London and my wallet has been stolen, and you request that they please wire me $800 right away. This security breach will cause no great damage and net you no great return. If you think otherwise, you don't know my friends. Try "I need $800 for bail" instead and they might believe you. But they still won't send you the $800.

So I for one am going to relax a little about my passwords. In fact, "mypassword" sounds pretty good to me.

Don't tell any hackers.

Respond to this blog

Posting a comment requires free registration:

Likely Stories
Ken Teutsch
Recent posts
Blog RSS feed [Feed icon]
Comments RSS feed [Feed icon]
Hot topics
Forward into the Past
(0 ~ 11:35 AM, Sep 9)

A Bug in Your Ear
(0 ~ 10:12 AM, Jul 5)

Eight Legs Bad
(0 ~ 9:39 AM, Jun 9)

Apocalypse Update
(0 ~ 10:37 AM, May 22)

Save the Frogs!
(0 ~ 2:33 PM, Apr 21)