RSS 2.0
Passwords
Passwords have been very much in the forefront of my mind these last couple of days. First, RIT is requiring everybody to change their DCE (yes, I know that’s not the official term anymore, but everybody still uses it) password. The password must be between 8 and 15 characters long (that’s inclusive, but they don’t tell you that), it must contain a mix of upper and lower case letters, start with a letter, contain no recognizable words or dates, not contain your username, and – here’s the kicker – consist solely of letters and numbers. No special characters.
Let’s back up a sec. There are a lot of ways to create tough passwords, but one of my favorites is this: Take any phrase – from a poem, a song, a quotable movie line, whatever – and then use the first letter of each word. Massage it a little bit, and hey, presto! you’ve got your difficult-to-crack password.
Here’s an example: One of my favorite poems is “The Cremation of Sam McGee” by Robert W. Service. It starts out:
There are strange things done in the midnight sun by the men who moil for gold
Take the first letter of each word, substitute a ‘1′ for the ‘i’ in “in,” capitalize Midnight Sun, substitute a ‘4′ for “for,” and there’s a great password:
tastd1tMSbtmwm4g
Oh – before you get all excited, all of the samples I use here are NOT passwords I use anywhere real, so calm down.
I have used a number of examples over the years:
A!wyccd4y-Awycd4yc (Ask not what your country can do for you – ask what you can do for your country – ! for “not” is a programmer’s thing)
Mhall,1fwwas – Mary had a little lamb, its fleece was white as snow
SIct2asd? – Shall I compare thee to a summer’s day?
B,s!Wltywb?- But, soft! what light through yonder window breaks? (actually, I don’t like this one as much, as there’s no easily remembered number in it)
Notice that all but one of these have special characters in them. All of my real passwords have special characters in them, too; it makes them much, much harder to crack when you factor in the permutations involved in adding the whole special character set to the regular alphanumeric characters. Unfortunately, as I mentioned above, RIT wants no special characters. Well, that’s not a big problem; I just selected a suitable phrase. But I wasn’t so lucky on Twitter.
My Twitter password has several special characters in it. Works great. But now I’m setting up some blogs. WordPress has a great plugin called “Twitter Tools.” It automatically tweets whenever you post a new blog entry. Cool, right? But it won’t work for me, because Twitter Tools escapes my special characters (makes them safe for passing to a database, even though nothing gets passed to a database), and then Twitter won’t take them. I have written to the creator of the application to see if he has a simple solution, although I don’t expect to hear back from him. I am now faced with the choice of changing all of my Twitter passwords (one Twitter account, and several applications each on my work computer, my home computer, my work laptop, and my home laptop), or tearing through the code trying to figure out a simple, clean way to pass the password unedited. The first is not difficult, but I’m annoyed at the prospect of having to do it, simply because a programmer didn’t think people would have special characters in their passwords.
On an entirely separate note, have you ever watched someone when you told them they had to change their passwords? People who give four-hour off-the-cuff lectures to a roomful of students, present papers to thousands of colleagues at meetings, and will talk for hours when you pass them in the halls, freeze up at the mere thought of having to create a new password. These people, who can keep a zillion esoteric facts in their heads for years, firmly believe that they are totally incapable of remembering a password! And, therefore, as with all self-fulfilling prophecies, they are.
