Today is Saturday February 13, 2010

Archive for February, 2010

It really is up to you!

If there is to be peace in the world,
There must be peace in the nations.

This is from TechRepublic’s contributor Chad Perrin who is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

In How does bad password policy like this even happen? he addressed the deep question of what goes through someone’s head when he or she creates password policy that makes little or no sense and substantially damages security. The case in point was that of Nelnet, which had a comically bad password policy with restrictions that make no reasonable sense at all. For instance:
It can’t contain two separated numbers (i.e., Abc12ef34 would be invalid)
Perhaps the developers are deathly afraid that someone will have 4+7 in a password and somehow cause SQL to do something dangerous with it. If the database is so brittle as to be incapable of handling something like that, even when special characters such as plus signs are disallowed anyway (another golden example of bad policy at the same site), we can be reasonably certain that the offending organization should not be trusted with any private data anyway.
What can be worse than such ludicrous password policy?
How about a slightly less ludicrous policy that is almost as bad for security and comes with a completely absurd, even insane, explanation for why the password policy is so bad?

This is the case of American Express, evidently. A customer received a thoroughly crazy customer service email explaining the reasoning behind a password policy limited to eight characters, with special characters prohibited. The most unbelievable thing about this entire situation is that the email reads like it was written by a Nigerian scammer, but it came from the American Express “Email Servicing Team.”
Key phrases illustrating the lunacy of the explanation include:
• We discourage the use of special characters because hacking softwares can recognize them very easily.
Presumably, this is meant to refer to keyloggers that might harvest passwords, but the fact of the matter is that detecting passwords is not dependent on the characters used. Key factors such as words (or non-word strings of characters) appearing out of context in the middle of other logged keypresses and time delays at either end of a single, relative short string of characters are much more important for identifying passwords than whether an asterisk is typed.
• The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed.”
For commonality of keypresses to be used to statistically identify passwords, your passwords will have to be incredibly long. Otherwise, every time you type Xerox, the date or time, or an emoticon, someone trying to parse a keypress log is going to have to check to see if it is a password. Sorry — this part of the explanation is even less reasonable than the first quote.
This little gem of an email from Saturday has already spread like wildfire amongst online communities populated by people with an inkling of what “security” means, and the consensus is that whoever this person is, he or she does not not know what “security” is. One can only hope that this person is making things up to BS a customer, rather than actually expressing official American Express “security” policy.
The alternative is too horrible to imagine. It’s like asking Sarah Palin to memorize the nuclear arsenal launch codes without writing on her palm.

eastbay coupon codes
lemon drop martini
canisius high school
zulily coupon code
letter of credit

An acquaintance of mine recently sent out an email to dozens of contacts. He advised that several of his friends had their email accounts hacked, and we all should be sure to use strong passwords and to ‘be careful.’

I thought about this, and concluded that this was an attempt to heighten awareness whereas all it did was remind people that there are bogeymen out to get you. I think we all already knew that.

What is perhaps more helpful is to not just scare people, but give them a method for choosing passwords that are strong. They need to be easy to remember. I know I have to keep an Excel spreadsheet to manage my passwords, as I’ve got at least a dozen or more unique passwords.  This wasn’t by design. I feel greatly inconvenienced by sites that force me to follow rules that are arbitrary and sometimes silly (like not having repeating characters). But, nowadays, anytime ‘they’ want to justify their actions and policies without justifying their actions and policies, they just wave the red flag of “Security Reasons” to stop any challenges to their authority if not wisdom.

Each business you deal with wants to impose their idea of what your password should be. SO, where I had been using a password that I remembered without fail, guess what; one day I attempted to  login to a site I used every day,  and was greeted with a message “For security reasons, all your passwords have been changed.” So then I used their temporary password they sent to me an email, and I tried to establish a new password. Oh, they say,  it’s too short. I lengthen it.

I kept getting messages on one site that annoyed me so much I stopped using them entirely. The messages were something like this:

  • “Oh, you can’t have repeating characters (I was using ’99’ as a part of the password).”
  • “Oh, you can’t use a special character.”
  • “Oh, you can’t use the same password you had six months ago.”

You get the idea.

To create a strong password, you are better off  not using  any word you’d find in a dictionary. Instead, try using a phrase, and use the first letter of each word. Then, end it with a special character (most systems allow ~!@#$%^&*()_+) or number (some systems force you to have a number, and most passwords are case sensitive, and the self-appointed acne-challenged video-game addicted Jolt-Cola swilling gatekeepers force you to use at least one uppercase letter).

I like Shakespeare, particularly Hamlet’s soliloquy. “To be or not to be, that is the question” provides me with the first part of a good password, to wit: Tbontbtitq. Then I add a #9 to the end and voilá, I have a beautiful password. Tbontbtitq#9.   Or, you could try “Alas, poor Yorick! I knew him, Horatio.” for ApY!IkhH#9 – pretty cool stuff!!!!!!!!!!

Or, how about a stub “We the people of the United States of America” that equates to Wtpofusa#9

If you want to be really ingenious, try turning your phrase into numbers. Of course, this is easier with the letters a-j than the others.

BTW – I’m going to be launching six new websites in the next 90 days. I’ve already bought some outstanding artwork from a chap on and looking for more on a ‘devil’ them. Email me if you’re interested in the topics of Chinese Astrology, Mayan Codes, or the Haitian Pact with the Devil.

CREDIT: Farhad Manjoo of published an article (A foolproof technique to secure your computer, e-mail, and bank account. By Farhad ManjooPosted Friday, July 24, 2009) proposing phrase-based passwords but I doubt he was the first, but he was the first to articulate it in a well-written manner that made it easy to follow and implement this strategy as outlined above. Go FARHAD!!


ibs symptoms
langerhans cell histiocytosis
highmark blue shield
test flash player
groupon san diego