Passwords: How to better manage them?

Passwords are like the common cold: they induce headaches, no one is immune, and there is no cure in sight.

But they are necessary in this era of digital data, where everything from paying bills to passing notes to sharing photos is done online through user accounts that require some proof that you really are who you say you are. The need for passwords to be both easy to remember and difficult to guess poses what we all know as the password problem.

"This is a horrible problem," said Bruce Schneier, chief technology officer of BT Counterpane, who has written about the situation on his own blog. "Passwords have largely outlived their usefulness."

Still, despite the consensus on the need for a new way to handle online authentication, not much has changed with passwords in more than a decade. Indeed, the issues are exactly the same as they were in 2002, when CNET News last tackled this issue.

"Nothing has been able to overcome the ease of use and affordability of passwords," said Chris Wysopal, chief technology officer of security firm Veracode. "Passwords are all stored internally using the same algorithms of 10 years ago, so password crackers still work and fundamentally haven't had to change," either.

"There is no other technology that is remotely as simple to use on the server side," said Paul Kocher, president of Cryptography Research. "There is a downside. While the convenience is great, our brains aren't wired to keep track of long passwords."

What has changed is the fact that millions more people are using the Internet, storing more and more sensitive data and having to remember more passwords, making the password problem exponentially worse. As a result, most people reuse the same password, which puts their other accounts at risk.

The average computer user has 6.5 passwords, each of which is shared across 4 different sites, and has about 25 accounts that require passwords, according to Microsoft research published last year (PDF).

Each person types in an average of eight passwords every day, the report said.

This means we end up with a laundry list of Web sites, usernames, and passwords to remember. Many people write them down, either in a notebook on their desk or on sticky notes affixed to their computer screen. That might work at home, until an unscrupulous visitor snoops around and decides to see how easy it is to access your bank account. The practice is even less safe at work.

Bruce K. Marshall, a security consultant who founded PasswordResearch.com, writes on his blog that it's OK to write down a new password on a piece of paper to keep in your wallet. But, he says, you shouldn't include the Web site or any other identifying information, and it should be destroyed within a few weeks, once it has been committed to memory.

Many security experts admit that they distinguish sites that require a strong password, such as Amazon.com or PayPal, from sites that don't, like those of The New York Times or a hobby blog. An easy-to-remember password is fine to reuse on the sites that don't host sensitive information, but unique, strong passwords should be used for each of the more sensitive sites, they say.

"One of the things I do is come up with a scheme in my head to permute the password based on the site," Wysopal said. "The simplest thing to do is to tack on a couple of letters to an already strong password for every site you use."

Passphrases, sequences of words, or other text --like "i hate to golf"--are harder to crack than passwords because they are longer. But they can't be used at a lot of sites because of limits on the length of the password.

Thirty to 40 characters would be optimum, while 15 characters is considered a minimum for a strong password, according to Wysopal.

Mixing in uppercase and lowercase letters, and using numbers and symbols, greatly increases the strength of the password or passphrase. For example, "i hate to golf" can be improved by changing it to "1H82G@lf!"

Meanwhile, using words that can be found in a dictionary, even in a foreign language, increases the chance that a password cracker could figure it out, and using pet names, initials, and other personal information is easy for someone--even a stranger with some basic information--to guess.

Chris LoVerme, a technical-operations director for a technology consulting and services firm, suggests on his blog using a math phrase, such as "Ten*10=1000!" because it won't be in a dictionary and would be hard to crack with a brute-force attack, in which a program tries to logically guess the password using every conceivable sequence.

There are also basic good practices that can help people keep their passwords safe, regardless of how strong they are. People should not send their passwords over e-mail or type them into shared computers such as those at Internet cafes and airport lounges, where a keystroke logger could be surreptitiously recording everything you type, Microsoft suggests.

You can test the strength of your password at this Microsoft page.

Choosing the password is only the first step; you've got to remember it. You can have the computer do that for you by setting the browsers to autofill usernames and passwords for you, but this isn't recommended for high-security passwords. You have to set this for every computer you use, and if the computer crashes, the information can be lost forever.

Another option is to use a password manager, software that securely stores the passwords and respective accounts on the user's computer for handy reference. One example is Password Safe, a free, open-source Windows utility Schneier created that protects the passwords in one spot using strong encryption. You just need to remember one password to open it up. But you have to be using the computer on which it's stored to use it.

There's also Passpack, a password-saving service that recently released a Passpack Desktop that exists separate from the browser and lets people manage passwords while offline. The consumer version is free.

Another option is Roboform, software that sells for about $30 that memorizes and stores usernames and passwords the first time they are used and then automatically supplies them thereafter. Then there's Agatra, a free service that securely stores passwords online so they are accessible from anywhere.

Then there's LogOnce Toolbar, a free password manager plug-in for Internet Explorer that stores the information locally or on a remote server and lets you access the passwords from different computers.

Despite early optimism about graphical authentication systems, in which a user clicks on a picture rather than typing in a password, there haven't been many implementations. The reason could be partly due to the fact that they are vulnerable to shoulder surfing, as anyone walking by can see what a user is doing on the screen.

Microsoft hasn't given up on graphical passwords yet. The company funded research on graphical authentication on handhelds at Newcastle University, published last year, that was found to be 1,000 times more secure than ordinary text passwords and easier to remember. In the test, users drew an image, and the software recalled the strokes and the number of times the pen was lifted.

Microsoft also is doing research on something called Inkblot Authentication, which helps users select, remember, and differentiate strong passwords.

Bank of America and Yahoo, which both use password authentication, are additionally using graphical systems, primarily to protect customers against phishing attacks by offering a way to prove that the site is really that of BofA or Yahoo. Yahoo's personalized sign-in seal program lets you submit a photo or image that will appear whenever you log in to the site.

With Bank of America's SiteKey system, customers choose from a set of images and look for that image to be displayed whenever they log in. However, research has found that the SiteKey system is vulnerable to a so-called "man-in-the-middle" attack.

Passwords are the most common type of authentication method. They are used to prove to the system that you know something secret that the authorized person would know. The passwords (like pet names) that you shouldn't use are not to be confused with the challenge-response questions that sites ask you as an added layer of security, such as, "what was the name of your first pet?" and "what's your mother's maiden name?"

There's also two-factor authentication, which combines a password with something you have, such as a smart card or a random number-generating token that offers a one-time password. And then there is three-factor authentication, which includes biometrics-like fingerprint, voice and iris scanning, or even keystroke analysis. They are are designed to prove who you are.

While fingerprint readers are in some laptops, biometrics won't be mainstream anytime soon because of implementation costs and a lack of demand for consumer applications, experts say.

But tokens are gaining some traction. Primarily delegated to the corporate world because of their cost (about $40 per user) and infrastructure needs, they are growing in appeal as computer users get increasingly frustrated and paranoid about their online activities. For instance, complaints about account hijacking and other security concerns led the makers of World of Warcraft to recently start offering an electronic token device for $6.50 as an added layer of security for fans of the online role-playing game.

A cheaper, analog version of a token is the "bingo card," a wallet-size card that has a unique grid of rows and columns with randomly generated number-and-letter combinations in each cell. After logging into a system, a user is asked to provide the data in a particular cell.

Another authentication type that is starting to get some use in limited applications is designed to show where you are based on the certificate in the cable or DSL modem someone uses to connect to the Internet. However, because it is location-based, you could only use it, for things like Web banking, from your home.

"Cisco and Nortel are getting into using location as a factor of authentication," said David Miller, chief security officer for Covisint, an identity broker that oversees data access services for industry groups and government agencies. Covisint is in talks with Comcast about implementing a location-based authentication service for its customers, he said.

"We could say this ID can only be used from this authenticated point," he said. "For someone to hack into my account, they would have to break into my house."

There are all sorts of centralized services that provide a single sign-on for multiple sites. Symantec's Norton Identity Client lets consumers manage different identities and passwords across the Web. With Windows Live ID service, people can log in to Microsoft and partner Web sites using one account.

Other options for corporations are systems such as Symark International's PowerKeeper appliance that offer a onetime password to employees for a specific task or time period. This not only eliminates the need for workers to remember passwords, but it could help prevent situations like that involving Lending Tree, in which employees allegedly gave customer passwords and other information to outside firms.

Some authentication systems for very sensitive data and transactions can be set to call the user's cell phone or send a text message seeking a verification, according to Matt Shannahan, senior vice president at AdmitOne Security, which offers a keystroke dynamics type of behavioral biometrics authentication product. There's also authentication software that checks to see whether a computer has been compromised or has other security problems before accepting a user's login, he said.

PasswordResearch's Marshall is surprised that the password problem persists while other, seemingly harder technology issues have been resolved over the years.

"I thought that in my lifetime, we'd see passwords disappear because there would be more secure alternatives," he said. "But they will continue to have a role, either as a primary or secondary authenticator. People are so familiar with them."