PassWordBook.com - Mind Numbing Codes

MIND-NUMBING CODES

SOARING NEED FOR PASSWORDS BREEDS CONFUSION, DANGER

THURSDAY, January 13, 2004
Section: BUSINESS
Page: E1

By: Julie Hinds; Knight Ridder Newspapers

HIGH TECH

-- In the old days, the only people who had to worry about passwords were movie spies and contestants on Allen Ludden's game show.

Not anymore. There are now so many passwords in daily life, a person can be forgiven for feeling confused, frustrated and slightly overwhelmed by them.

You have to remember a password to get money from an ATM. Ditto for checking your phone messages through voice mail. If your home is protected by a security system, you may have to punch in a password for that, too.

And computers? Don't even try to count the number of passwords related to the Web. You need them to sign on, open e-mail, shop online, track your mutual funds or make an investment.

With so many log-in IDs, access codes and personal identification numbers you need to keep them safe.

Just last month a group of teenagers infiltrated a computer at a company in the Sacramento suburb of El Dorado Hills and went on a nationwide hacking spree that included stealing passwords from Pacific Bell Internet customers and attempting to break into the networks of two federal nuclear research laboratories.

And you need to keep the passwords straight to avoid the pangs of password overload.

Melanie Brown experienced it recently. The 26-year-old project manager for a Bloomfield Hills, Mich., technology company was looking online for cheap fares to Sweden and decided to join three frequent flier plans.

To sign up, she was asked to create three passwords. No problem. Not, that is, until the next time she visited the sites.

''I remembered the passwords, but I didn't remember which one was which,'' Brown said. ''I just said forget it and decided to wait for the information in the mail.''

Ed Coury is familiar with password overload, too. He estimates he has 25 passwords at work alone. Throw in the ones he has used once or twice to navigate the Web at home, and his password total is more like 100.

So much for simpler times, when all you had to memorize were your Social Security number, a few phone numbers and, if you were young enough, the combination to your locker.

In today's world, passwords are proliferating, especially on the Web, and more are on their way. The more e-commerce grows, the more passwords you'll need to get in on shopping opportunities.

Of course, passwords do more than boggle the mind. They protect privacy, restrict access and preserve the confidentiality of all kinds of online transactions, from e-mail messages to bill payments.

That all sounds good for consumers, in theory. But in practice, it's tough on human memory.

Humans rely on context to remember, said Colleen Seifert, a psychology professor at the University of Michigan and a specialist in cognitive science.

''If you remember where someone lives, you can drive there pretty easily, but it's harder to remember the specific street address,'' she said. ''It's easier to remember something that has meaning. It's harder to remember something that's random.''

That's why our natural instinct is to choose passwords that are personal, such as names or birthdays. We're also tempted to use the same password for everything.

Security experts warn against both those strategies. Personal passwords are easier for pranksters and scam artists to crack. And having only one password is like getting a master key and leaving it under your porch mat.

But such warnings haven't made that much difference, says Joe Ahmed, a network computer security manager for Ameritech and founder of his own information technology-security consulting firm, Corbant, in Ann Arbor.

In a recent study for a client, Ahmed found that the majority of Internet users rely on only one password. Although he doesn't recommend that strategy, he understands why it's popular.

''People are just swamped,'' he says. ''They have so many log-in IDs and passwords to remember, they do a cost-benefit analysis of trying to remember them all and decide it costs too much in brainpower.''

Security experts say that as more people use the Internet, the more security will become an issue.

For example, a computer at InnerCite Inc., an Internet service provider in El Dorado Hills, was infiltrated by a group of teen hackers who then used the machine as a gateway to break into 26 other Internet service providers and Internet-related sites. They swiped 63,000 customers' passwords from Pacific Bell's Internet service but failed to do any serious harm, officials said.

Still, customers were ordered to change their passwords.

Complicating matters in keeping track of passwords are Web sites that dictate what kind of password you can employ.

''A lot of them push you not to have just letters, because they want you to put in symbols, to make it harder to crack,'' says Gene Graber, who's president of the Ann Arbor Software Council, a nonprofit group that promotes the software industry in that area. ''Or they have a policy that they want you to change your password every six months.''

Most sites are prepared for forgotten passwords. They'll send you an e-mail reminder or allow you to reregister under a new password.

Some software programs also are trying to help with password overload. They offer systems that will encrypt and store multiple passwords.

Graber prefers a low-tech filing method. He makes a printout of new passwords the first time he enters a site, then stores the printouts in a folder.

Kurt Riegger, who works for an Ann Arbor, Mich., company that enhances Web sites, stores about 50 passwords in his Palm Pilot, where he can access them with a separate password.

Though long-term solutions to password overload are on the way, the problem is likely to get worse in the short run.

''This is just the beginning ramp of the curve,'' said Paul Bartlett, an Internet producer at Organic, a Bloomfield Hills firm that helps build global businesses online. ''It's going to get more complicated, the more businesses that get online. It's going to be a great business opportunity for the person who solves it.''

Robert Weiss, president of Password Crackers, a Web-based business that recovers lost passwords for desktop systems, describes password overload as a growing pain for the Internet.

''The solution will be there,'' he said. ''Over the next 10 to 20 years, the whole nature of computing will change, and passwords will change along with it.''

Already, several high-tech remedies are emerging. Smart cards are one of them. They're sort of like a credit card with a chip inside. Every time you enter a secured site, you could swipe your smart card through a reader and verify it with a single password.

Another option: biometric devices that rely on fingerprint or retina scans to verify a person's identity. The debate already has started over the sticky privacy issues they raise.

Bee staff reports contributed to this story.