#1LinerWeds: Say the secret woid…

Created with Quozio

A recent article in the Washington Post talks about the research of two men, Marjan Ghazvininejad and Kevin Knight at the University of Southern California, who think they’ve found the solution to the tricky problem of creating passwords: randomly-generated poems.

The inspiration for Ghazvininejad and Knight’s study was actually a cartoon, created by Randall Munroe of Xkcd, which showed how a password made up of four random words – like “correct horse battery staple” – is far more secure and a lot easier for people to remember than the typical jumble of random letters, numbers and symbols that most people think of as a secure password.

There is a website that will generate sample two-line poems for you. They caution that the poems might not be that secure, as a hacker could conceivably download all the poems and try them, but they show what can be done.

Anyway, it’s an interesting idea, although many websites’ password rules might make them impractical.

Linda Hill runs One-Liner Wednesday, not to be confused with the One-Line Wednesday someone else is running on Twitter. She has the rules and a list of the participants at her blog.

Security Tip: Don’t Hide Your Passwords In A Folder Named “Passwords”


Did you see this yesterday? Evidently someone hacked into Sony’s computer system and found the passwords for the social media accounts for all of their movies (we’re talking about Facebook, Twitter, MySpace – I guess it’s still a player, at least as far as Sony is concerned – and YouTube) in a folder called “Passwords.”

I got a huge laugh out of it, then I realized it’s probably a lot more common than anyone cares to believe. I knew a guy who kept all of his credit card numbers in a password-protected Excel spreadsheet. Not a bad idea on the face of it, except all of the card information was visible while he was typing in the password. Other people have sensitive password information on Post-It Notes stuck to their computer monitor. Others have a sheet of paper in a folder in their desks.

I’ve started using LastPass’ password-generation routine. It generates a random string of characters (upper- and lower-case letters, numbers, and symbols) and stores them in your vault. It then populates the user ID and passsword fields automatically for you, so a keystroke logger can’t capture the password when you type it. I honestly don’t know the password for sites like my bank, my PayPal account, or my credit card payment sites. I’m starting to do the same thing for the non-crucial sites as well, like Papa John’s and some of my bulletin boards, places where I’d been using a simple password like one of my cats’ names and a few digits.

But passwords only work well when you change them frequently, and the tendency is to use something that you can remember, and to use it just about everywhere, and leave it at that. There’s always the worry that you’ll be on someone else’s computer and need one of the passwords and not remember what it is. That can be a problem: if someone hacks my Gmail account and I’m using the same password for it and my bank, that person could clean me out.

Some companies like Google use a two-step verification system: after you type in your password, they send a text message or call you with a validation code that you need to enter to access your account. I worked with a company that gave my group a keyfob that generated a random number you would use for a password, that was only good for three minutes. Still other services require you to have a USB “key” to access their systems.

We could soon see technology that uses fingerprints, retina scans, voice prints, and other biometric information to secure our accounts. Until then, you might want to consider a password manager like LastPass (Googling “password manager” gives you a list of them). Or you could use a random password generator like the one at Random.org to generate a strong password.

Just, whatever you do, don’t keep your passwords in a folder called “Passwords.”

Do you have a unique way of coming up with passwords? Have you used any technology like a keyfob or a USB key?