Thursday, October 13, 2005

Mousepad Attacks and How to Beat Them

It’s 8:55 AM. You sit down at your desk with your Dunkin’ Donuts Turbo Ice Latte (with Splenda, not sugar), and start checking your email. The first one reads:

Dear valued employee,

Effective immediately, all passwords must be at least 12 characters long, contain no vowels, and contain at least 5 symbol characters. We think this is more secure. All current passwords will expire at 5PM. We appreciate you continued cooperation in keeping our company a secure place to work.

Thank you,
IT Team

Riiiight … next email. You go about your normal business, writing memos you hope nobody reads, sorting all your files by color, or whatever it is people do at work during the day. Five o’clock rolls around and, suddenly, your applications close and you see a big prompt: “PLEASE CHANGE YOUR PASSWORD:”.

“So they weren’t just pulling my leg,” you think. “Oh well... what was that requirement again? FIVE symbols?” Oh, a password generation button. That makes it easy!


Oh sure, that’s easy to remember. How about a mnemonic? You heard that makes remembering passwords easier. “xenophobic Xylophones money backtick...” No, that won’t work. You’ve got it! Write it on a Post-It and stick it to the monitor! But, hmm, that doesn’t seem very safe. What if someone just walks by and reads it? You have sensitive data on this computer. Plus, that’s against corporate policy and you could get in trouble.

Aha! Write it on a Post-It, and then stick it to the bottom of your mousepad! Nobody will look there. Plus, you can discretely check it without anyone noticing that you wrote down the password. Problem solved.

* * *

Let’s back up and look at what just happened. Somebody decided that four number passwords were not secure because they were too easy to guess (I claim that this is debatable but that argument is for another time). In order to be secure, they argue, passwords must be X length and have Y characteristics. This makes them harder to break. It also makes them much harder to remember.

Security is not a technology problem. Security is a people problem.

People can’t, and shouldn’t be expected to remember long, random passwords with symbols in them. Maybe given practice, someone could eventually remember one password. But people are expected to remember dozens of these. Ideally, one for each account that they have. Your eBay password should be different from your Bank of America password, etc. Personally, I have at least 30 online accounts that I need to keep track of, probably more that I don’t even remember. And I’m expected to remember that many different passwords?

I don’t think so.

What to do? I could have one password and use it for everything. But is that a good idea? What if someone watches me type it? What if an evil librarian reads my password as I log into and then uses it to wire money from my bank account? Clearly I don’t want the same password for everything.

I could write down all my accounts with the corresponding user names and passwords, and keep it in my wallet. This is not a bad idea. Most people are pretty careful about protecting their wallets. If your wallet is stolen, some badguy somewhere now has your ATM card, credit card, and a whole lot of identification about you. Maybe your health insurance number is the same as your social security number. Congratulations, thief, you can now register credit cards in the victim’s name.

You can cancel your credit card, invalidate your ATM card, and get a replacement driver’s license. But what about all those passwords? You might not even remember what the accounts even are, let alone their passwords. Here’s a trick: swap the last and first letters of the password when you actually go to type it in. So if your password was really “abcdefg”, you would write down “gbcdefa” on your cheat sheet, and not tell anybody your little secret. That’s a very simple way to encrypt your passwords (as long as they don’t know how to unscramble the code).

Even with a garbled cheat sheet, though, it’s still going to be annoying to type in xX@`5m,2’p9QL{_; every time you want to log in to That’s going to take at least 20 seconds to type in unless you’re a very fluent typist. If only there were a program out there that would let you:
  1. Store all your passwords, for any system, on the computer
  2. Prevent anyone from stealing or viewing the list of passwords
  3. Save you the time of typing the passwords in

Oh yeah, one more thing... 4. I don’t want to pay anything for it.

I bet you can guess what I’m about to say next. Password Safe is a free tool from Counterpane Systems (i.e. Bruce Schneier) that does just that. It allows you to type in the user name and password for any system, and it remembers them all. You can name each account/password pair and create groups of accounts. For example, separate groups for “Personal” and “Work”.

That covers requirement 1. For requirement 2, the entire list of accounts is encrypted by one master password. This becomes the one password that you have to remember. This is a good one to scramble and put in your wallet.

For requirement 3, you simply double click on an account, and the password is placed in the computer’s clipboard. Now you can simply paste it into the password field. This allows you to securely log in without even remembering the password. You wouldn’t want a list of all the passwords exposed when someone was watching you over your shoulder.

And yes, it’s free.

Here’s where to get it:

No comments: