Computer Users: Maybe It's Time to Change PSSWRD

By MALCOLM RITTER

Aug. 18, 1991 12 AM PT

ASSOCIATED PRESS

NEW YORK —

Soldiers have done it since ancient times. Children still do it when they set up secret clubs. But the computer age is showing that when it comes to choosing good passwords, people are pretty lousy.

So bad, in fact, that the federal government uses computers to create passwords for people. One password created by a government program: the allegedly pronounceable “lvb-shvx-o.”

Back to the drawing board.

A password is a secret string of characters used to prove a person’s identity to a computer or other machine, like a telephone answering machine or an automated bank teller. It is supposed to keep other people from gaining access by masquerading as the user.

When people choose their own passwords, they often think of something they can easily remember: the name of a spouse, child, cartoon character or cultural hero, the make of their car, their telephone or auto license number, even an obscenity. They also may spell some easily remembered word backwards.

Bad ideas, experts say.

“Unfortunately, the things they’re most likely to remember are also the things that other people are probably going to be more able to guess,” said Eugene Spafford, assistant professor of computer sciences at Purdue University.

He found that up to half the passwords made up by Purdue students were such standards as “Purdue,” the student’s first or last name, one of those names reversed, certain characters from science fiction novels, or names of rock bands or their members.

“If you’ve got the guy who’s walking around with a Def Leppard satin tour jacket most of the time, that may give you some ideas for passwords to try,” he said.

A study of industrial computer users found that passwords often could be easily guessed from a user’s “log-on,” the name a user goes by in the computer. If the log-on is ABC, for example, and one guessed ABC, ABCABC or CBA as a password, it worked in 8% to 30% of cases when neither users nor computer systems managers were security-conscious.

Experts say you don’t have to be guarding state secrets--or operating a giant mainframe--to benefit from a good hard-to-guess password.

“The kids down the block believe that any computer they don’t have access to is worth attacking,” said Spafford. “Any business that’s accessible is a likely target.”

So is any business that can have disgruntled employees who want revenge against a company that fired them or passed them over for a raise, he said.

For personal revenge or a bad practical joke, somebody armed with your password can destroy information in your files or send a nasty message to the boss and make it appear to have come from you, he said.

David Clark, a Massachusetts Institute of Technology scientist who led a recent National Research Council study of computer security, offers this advice: “If you were a dishonest man, could you imagine that the job you have would let you commit some part of a fraud” with computers? If so, you have good reason to be especially careful with things like passwords.

So how to choose a good password? One good rule is to avoid any English word. An electronic invader may well have a computer program that methodically runs through the dictionary in trying to guess a password.

Beyond that, experts say to use every character you can, because the longer your password, the harder it will be to guess by random letter combinations. You can mix letters, numbers and other symbols on the computer keyboard.

Passwords are generally easier to remember if they are pronounceable. Another strategy is to remember a phrase instead, using the first or second letters of its words as the password. “Fish gotta swim, birds gotta fly” would become “fgsbgf” or “iowiol.”

Once you choose a good password, change it a couple times a year. And don’t write it down. Spafford said that when he consults with employers on computer security, he often has found passwords written on a piece of paper stuck to the bottom of computer keyboards.

Don’t share your password with anybody if you can avoid it, Clark said. If you have to share, change it soon afterward. Many people who share their passwords to give a co-worker access to some computer files are reluctant to change it later, assuming that the colleague would take it as an affront, Clark said.

But what if you go on vacation, Clark asks, and that friend is wrongfully fired, and he wants to wreak some havoc on the computer system in revenge?

“People sometimes at that point stop and they stare at the ceiling,” Clark said.