By Paolo Chlebecek
Happy Password Day!
Well it’s that time of year again for all of us to celebrate our collective need to try to protect our digital lives with yet another holiday. What?! You mean you haven’t heard of password day? Well I must admit I just made it up, but maybe there’s something to this idea.
Anyone who knows me knows I don’t celebrate holidays, but this is one I’ll take the time for. Why? Well, you don’t have to buy anyone anything, you set any date, and all you have to do is stay home for a little while and change ALL of your online passwords. Doesn’t sound fun? Anything can be as fun as you make it, but this “holiday” may be mandatory as we keep hearing of all of these massive password and hacking breaches.
The frequency of this so called holiday should probably be more than just once a year. In fact, most large corporations have an obligatory policy to change your passwords every 60-90 days. Sound extreme? Perhaps, only as long as you change your passwords to a completely new and complex one. A report from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill showed that frequent mandatory password changes caused users to use a pattern called “transformation” meaning; using their old password, then change it in some minor way, and then develop a new password. They were then able to use an algorithm to predict with a high degree of accuracy what the user will change the password to. Math is amazing, isn’t it?
What about a password manager you say? I’ve mentioned those before, but as with all password mangers there is one critical flaw by necessity. If someone or something were able to ascertain the master password, then they have all of your passwords to everything. Or worse yet, a vulnerability is found and exploited when you don’t even know it.
This doesn’t sound encouraging does it? Frankly, no, it’s not. So let’s do away with all passwords! How? Introducing Pico from MyPico.Org. It’s a university of Cambridge project that plans on replacing all passwords very soon. The informative video on the site explains that a small physical device or pico in Italian, will be able to rescue all of us from the dreaded password abyss. In brief, it used a combination of safe zones and other smaller devices that can detect your presence and then allow the encrypted key to unlock your bank account, for example. It’s still under development and we hope by then end of the year to see it widely implemented. There are others that are available now like EveryKey.Com that does something similar.
What about biometrics? Fingerprints are not as secure as we’d like to think, and one fingerprint isn’t enough. Google, for one, is seriously looking into this option as well. Biometrics could include the shape of your face and voice pattern, as well as some less obvious ones like how you move, how you type and how you swipe the screen. With the service continually running in the background, it can keep track of whether those indicators match. Even facial recognition, now built in to many Smart phones, is significantly less secure than a fingerprint scanner, according to Google’s own metrics. But combining them could result in something more than 10 times as secure as a fingerprint.
But is a solution to our technological problems more technology? Not necessarily. How about GRC.Com/OffTheGrid.Htm or PasswordCard.Org/En. They have a simple way of adding a random password to all the important sites you visit. It’s a simple but ingenious way to have and use complex and random passwords by printing a card or sheet to keep with you. Then using that same sheet to type those passwords into your various accounts. PasswordCard.Org can regenerate the info even if you lose it. Since you pick the line and pattern it’s virtually un-hackable since it is not stored anywhere and as Gibson research site says: “Even though we can no longer live ‘off the grid’ at least our passwords can!”
Extensive research continues on this issue and it’s a major source of concern for many companies small and great. And, there’s no prefect solution. So what now? Well changing and managing passwords need not be a full time job. But, until then, we may need to be evermore vigilant to keep our new Password Day holiday, at least a few times a year, for just a little while longer.
Paolo Chlebecek is founder and owner of PaoloTek, which he started in 2003. He loves to be helpful to people and our animal friends. Feel free to contact him at Paolo@PaoloTek.Com.
Sadly, this is Paolo Chlebecek’s last column for
We wish him and his the best of luck.
The first time I met Paolo, he was wearing a Star Trek uniform. I don’t remember if his regalia indicated he was the science officer or the captain, but I took an instant liking to him. (Even if his uniform was from the original series, not TNG.)
Technology is ubiquitous and yet, for many of us, the closest thing to magic in this world. Paolo was able to unpack that, explain it in terms that neophytes and even luddites could appreciate, and share practical tips and advice.
Thank you, Paolo, for your patience and helpfulness.
You’ll be sorely missed.
~ Nicholas DeMarino