Passwords: I hates them

By skepticlawyer

Over at Club Troppo, Jacques (our redoubtable admin) informs us that a bunch of not very nice internet types have hacked Sarah Palin’s Yahoo email account. This seems to be part of an ongoing attempt to prove that she improperly conducted government business using her private account, although it appears that there was nothing to find – pictures of her kids, and some emails back and forth with a staffer expressing concern over attacks in the media. The more serious issue is the ease with which her account was hacked. Among other things, her password was either ‘popcorn’ or her postcode and her security question was ‘where did you meet your spouse?’. Both are almost guaranteed – if a ‘not famous’ person suddenly becomes ‘famous’ – to invite hacker attention.

The worst version of this ‘sudden fame leads to compromised security’ story I’ve ever come across concerned Linkin Park frontman Chester Bennington. Bennington – reverting to the time before his band had made him a multimillionaire many times over – used ‘Charlie’ (his middle name) as his password to his email account. This allowed a cyberstalking fan into aspects of his life far beyond just email, and is much worse than what has happened to Palin. Even so, Palin’s situation is instructive, and something that really gets on my nerves. See, I actually can’t remember any but the very simplest passwords – or, rather, I can remember very difficult passwords, but only one at a time, and I need a couple of months and lots of practice to do so. The joys of dyslexia.

As I pointed out over at Troppo, I always hated the monthly requests to change passwords that used to come through at work – both JAG and at law firms. If anything, the constant requests for new passwords made my accounts easier to hack, rather than harder. Instead of remembering one fantastically difficult password, I just entered easier and easier passwords (and would routinely recycle passwords from elsewhere) so that I could remember them. Many of my passwords over the years have been as easy as ‘popcorn’, with ‘security questions’ based on all the standard stuff – partner’s name, where we met etc. It took ages for me to get permission to be allowed to keep my passwords for a longer period – and I’m sure the only thing that led to that was IT people having constantly to let me into my account when I’d forgotten my password and the security system had locked me out. I’ve also had the experience of having my ATM/Cashpoint cards swallowed (regularly – can’t remember PIN) and not being able to use my Frequent Flyer points (which also requires remembering yet another password). I have never asked for a PIN for my credit card (according to my personal banker, I am unique among her clients in this respect). This is for the simple reason that I know it would be different from my normal PIN, and thus impossible for me to remember.

I have also been ‘famous enough’ to have accounts hacked by anonymous randoms for various unsavoury reasons. That’s why I have no hotmail or yahoo accounts. I only ever have one working email address, and it always has a fiendishly difficult password that I have worked very hard at remembering (or have written down and stored in my wallet). I never use online banking, always conducting my business in person at the branch. It’s tedious, but something I simply can’t avoid if I’m going to keep my financial arrangements secure.

This willingness to write passwords down and store them in my purse may seem odd, but to be honest I’m less concerned about storing important stuff there. I do have – thanks to my martial arts experience – a much better chance of defending both my person and my property ‘in real life’. That’s not something I’m ever going to be able to do very effectively online, unless security providers are willing to allow me to use my own method.

In the long run, all I can say is bring on fingerprint/retinal/biometric account identification. It’s about the only thing that will allow me to do stuff online that other people take entirely for granted.

UPDATE: There is a very good account of what actually happened on Michelle Malkin’s site. Malkin, like the rest of us, managed to get the wrong end of the stick, but when set straight, published the very tech-savvy correction in full. Highly recommended.


  1. DeusExMacintosh
    Posted September 19, 2008 at 12:07 am | Permalink

    They could get her for misuse of government property, surely? (Bennington case)

  2. Posted September 19, 2008 at 12:39 am | Permalink

    First of all, it’s worth noting (like the pedant I am) that no digital security methods are absolute. It’s sad but true.

    My biggest problem with pretty much all online accounts with major companies is their insistence on having a security question (that seems to be one of the things that caught Palin out). Almost all details about ones life are public – in the sense that someone other than you knows them – and therefore less secure than a password. So why they insist on allowing access to accounts based only on this ‘public’ information is beyond me. If someone wanted to it would be a snap to find out what my mother’s maiden name is – scary huh?

    My other big problem is, being a bit of a nerd, I’m constantly signing up for new accounts at every new Web 2.0 (or whatever) site pops its head above the crowd. And as a result I regularly forget where I’ve signed up to things just to check ’em out.

    Enter: password management software. Some people doubt the wisdom of storing all your passwords in one file (no matter how well encrypted) – but somehow I’ve reconciled myself with the idea and now use KeepassX. I only have to remember on (quite complicated) password.

    I don’t even know my password for either of my internet banking accounts, or my Facebook account, or Twitter, or Geni, or…you get the picture. They are very long and very complicated.

    Whenever I sign up to something new I get a new randomly generated, and long password and store it in my KeepassX database (which is synched across all my computers). This has the added bonus that I now have a record of everything I’ve signed up for. No more loosing track of all those abandoned accounts. Every once in a while I go through the list and close accounts for things I haven’t used since I first signed up.

    The only real downside to the whole arrangement is logging on somewhere using a computer which isn’t mine (which is usually a bad idea anyway) – I don’t have access to the database.

    I even keep non-internet related, important private information in there, and I’d recommend KeepassX. The other advantage of it is that it’s an open source and relatively active as a project, so there are plenty of fairly skilled cryptographers looking for and ready to correct security flaws in the database encryption.

  3. Posted September 19, 2008 at 1:03 am | Permalink

    If there’s a Mac version, I’m so getting that, Simon. I’m really at my wits’ end with this password caper.

  4. Jacques Chester
    Posted September 19, 2008 at 1:51 am | Permalink

    Looks like there is a Mac version on their download page.

  5. Posted September 19, 2008 at 3:22 am | Permalink

    Yeah, there is a Mac version (that’s why I use it). The X stands for ‘cross platform’. There is a Keepass which is windows only.

    I have both a windows machine (at work) and a Mac at home. Using KeepassX on both with a synched DB file works a treat.

  6. Posted September 19, 2008 at 5:30 am | Permalink

    At work I got over the “change password” problem by putting a number at the end of the word and incrimenting by one each time. But I have to write the number on the case of the computer to remember what it is,

  7. pete m
    Posted September 19, 2008 at 7:25 am | Permalink

    roboform is also good.

  8. abj
    Posted September 19, 2008 at 11:41 am | Permalink

    Bruce Schneier, well-known computer security pandit, also stores passwords in his wallet. From the Freakonomics blog,

  9. Posted September 19, 2008 at 1:08 pm | Permalink

    Great minds think alike SL.

    Deus, I think it was the reverse of private use of public property, more like taking work home. In this situation the crime may be a bit like exceeding the speed limit by 1 kph in excellent driving conditions to get a sick person to hospital.

    Incidentally on the topic of using email at work for private purposes, we are informed that ALL our emails in principle belong to the firm (actually the State government). This is no big deal for legitimate use (like the telephone) but we also have to certify at LOGON that we are not using the system for commercial purposes, violating harassment codes and a few other things.

    BTW I have been on extended leave for some weeks so this matter is academic just at present.

  10. Posted September 19, 2008 at 1:15 pm | Permalink

    So you don’t care about Chinese people getting into your email? Whoops, my mistake, they need to know the word as well as the number.
    My handwriting is bad enough to ensure that nobody else can read mine. Actually I can’t read it eiher, it is just a kind of visual prompt. But after this spell away I will probably have to grovel to the system manager to let me in and reset the password.

  11. DeusExMacintosh
    Posted September 19, 2008 at 7:52 pm | Permalink

    Rafe. Que?

  12. lomlate
    Posted September 20, 2008 at 1:16 am | Permalink

    I wonder if any of these password managers have windows mobile applications or iPhone applications. If you were able to bring up the password on your mobile phone then it would remove the issue of signing into a website when you’re away from your normal computer.

One Trackback

  1. […] skepticlawyer » Passwords: I hates them […]

Post a Comment

Your email is never published nor shared. Required fields are marked *