Thursday, February 7, 2008

Password Protection and Economics:

On a recent blog post Tim Harford’s, The Undercover Economist, answers a reader’s question:

Dear Economist,
I use the same password for all my e-mail and internet-portal accounts (online shopping, etc). Now I am worried about losing it to an identity thief. What should I do?
Confused Kid


Hardford gives some good suggestions for password creation (acronyms, song lyrics), but warns against writing passwords down. I think you can write your passwords down, you just need to put them in a code you understand. So for example if your password is (jenny8675309) on a piece of paper you put in your wallet write

369jenny86743097272

What the heck does this mean? It’s a password but jammed between a phone number that I know well (Papa John’s in the town I grew up in). Given the chances that someone finds this card in my wallet and can decipher it is really low, but now I can easily pull out the password.

Back to the economics of passwords. As passwords become more and more complicated, people are more likely to forget their password and need a reminder. They then have to call someone to reset their password, but that costs the company money. So instead they have invented security questions to recover passwords “What City did You Honey Moon in?” and “What is the name of your favorite pet”, with enough googleing these answers might be on the web. Josh Levin at Slate has an excellent article on the problems with these security questions.

3 comments:

rjgitter said...

For the uninitiated.

Tommy Tutone -Jenny 8675309 Lyrics

Jenny, Jenny, who can I turn to?
You give me something I can hold onto
I know you think I'm like the others before
Who saw your name and number on the wall

Jenny, I got your number,
I need to make you mine.
Jenny, don't change your number,
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)

Jenny, Jenny, you're the girl for me.
You don't know me but you make me so happy.
I tried to call you before but I lost my nerve.
I tried my imagination, but I was disturbed.

Jenny, I got your number,
I need to make you mine.
Jenny, don't change your number,
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)

I got it, I got it, I got it!
I got your number on the wall!
I got it, I got it, I got it!
For a good time, for a good time call....

Jenny, don't change your number.
I need to make you mine.
Jenny. I'll call your number,
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)

Jenny, Jenny who can I turn to? (8-6-7-5-3-0-9)
For the price of a dime I can always turn to you.
(8-6-7-5-3-0-9)
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)
8-6-7-5-3-0-9 (8-6-7-5-3-0-9)
8-6-7-5-3-0-9(//fade out//)
8-6-7-5-3-0-9
8-6-7-5-3-0-9
8-6-7-5-3-0-9

Will said...

That's not entirely true. If I'm a cracker and find that post-it in your wallet, I can guess that your password involves the word 'jenny'. That narrows the search space by a lot and makes it much faster for me to break your password.

A more secure and similar possibility is to have a base password (jenny8567309) that you modify based on the name of the company requiring a password. Or, slightly less secure, you can write down your password and modify every part of it.

Seth Gitter said...

Will,
thanks for your comment. I agree probably an extra step is needed. I don't have any post its in my wallet, but the number trick has worked well for me in the past.
I agree if you could remeber all your passwords contained "jenny" or better yet "j^nny!" as a base that would be better.

Its a hard to fine the right mix of encryption and ease.