What's the Password?

I can’t remember when I started using passwords. In college, I had email and mainframe accounts that had passwords, but I don’t think they were new to me then. I certainly had a pin for my ATM card by that point. And I’m pretty sure I used voicemail passwords in high school. And before that, even as far back as fifth grade, we had locker combinations, which are very much like passwords.

Photo Credit: Formal Fallacy @ Dublin on FlickrThese days, of course, I have lots of passwords. I have different passwords for each of my seven email accounts. Then, there are all the online services, online banking and credit card sites, blogs, social networking tools, and a host of other places where I need to prove my identity by typing in a password. They’ve become so commonplace that we take them for granted. Even our elementary students have passwords, and most of them don’t have any trouble remembering them. They’re a very convenient way to prove who we are.

But the convenience comes with a price. If someone has my password, he or she can become me online. If my computer is set to remember my email password and someone else uses that computer, they can read my email and send email from me. If a student standing over my shoulder picks up my password by watching me type it in, he can then log in to my network account and access my files. If my Paypal password is easy to guess, anyone can access that account and make purchases on my behalf.

When talking about passwords, I’m reminded of the adage that passwords are like underwear:

  • change them often
  • don’t share them with friends
  • the longer, the better
  • don’t leave them out where people can see them.

Last week, we had an incident where an impostor accessed several of our staff members’ accounts. They were able to read email, delete files, and generally wreak havoc with these accounts. It’s still unclear whether the passwords were compromised by a student seeing them typed, or by someone who happened to guess well. But there was a common thread: all of the passwords involved were fairly weak. One was a four digit number. Another was the staff member’s last name. I sent an email to all staff strongly encouraging them to change their passwords immediately. I also referenced a Lifehacker article by John Pozadzides on weak passwords. It was amazing how many of our staff members’ passwords could be compromised in a matter of minutes.

Many of them took my message to heart, and have changed their passwords to something a bit more secure. If you haven’t changed yours yet, here are a few tips for improving your password:

  • Don’t use your name, or the names of your spouse, children, or pets. Those are just too easy to guess.
  • Stay away from words that can be found in the dictionary. It’s pretty easy to do a “dictionary attack,” where hackers try all of the words and word combinations to try to get your password.
  • Mix upper- and lower-case. For the average password, changing some letters to upper-case will make the password 200 times harder to crack.
  • Use all of the characters. There are 102 keys on your keyboard, but only 26 letters. It’s okay to use punctuation, numbers, and even spaces in passwords. Throwing in some of these characters will make your password another 100 times harder to guess.
  • Use different passwords for different things. Our student records system uses different usernames and passwords from our network and email systems. In this case, that was very good. Whoever got access to these teachers’ accounts couldn’t access grades or attendance information.
  • Protect your email. Your email password is probably the most important one. Why? What happens when you go to an online site and you click the “I forgot my password” link? They email you a link that you can click on to reset your password. If someone has your email password, they can reset your passwords for many of the online services you use. So your Facebook / Twitter / Youtube / Flickr accounts might be in jeopardy if your email password is compromised.
  • Change your passwords. Certainly not every day. Probably not even every month. But once in a while, change your password. This is especially true if you school IT person just strongly suggested that you do so (hint, hint).

Despite their shortcomings, passwords are still the most convenient way of proving our identity. We just need to take a little care in making sure we get as much security out of them as we can.