Sage Advice
Posted by
tgirsch
Via I, Cringely: CHANGE YOUR DAMNED PASSWORDS:
With this fact in mind, then, I’ll take another stab at improving the data security of all Americans. CHANGE YOUR DAMNED PASSWORDS!! Most people don’t do this — ever. They have one or two passwords they use for everything, often associated with one or two user names. If a system forces a password change they’ll move to password B in hopes that when the next move is forced they can move back to password A. If you have an eight-character password that mixes numbers, letters, and non-alphanumeric characters in various combinations of upper and lower case — in other words a REALLY GOOD password — I can pretty much guarantee you’ve been using that exact same password since 1998. People are lazy. People don’t want to learn arcane eight-character passwords on a regular basis.
But identity thieves aren’t so lazy, especially when they have technology to help them. They can start a sweepstakes website that requires only free registration to win that cruise of a lifetime to Bora Bora. And in doing so the thieves can know that a majority of registrants will use a username and password combination that they also use at a lot of other sites, like bank and brokerage accounts. Not only don’t they need to actually award the cruise, they don’t even have to break into your bank account in order to benefit from the username/password combo. They just sell that information to another crook.
That crook knows your name, address, and likely username and password. Forty percent of the people in your town use the same bank. Fifty percent of his stolen usernames and passwords are valid. Forty percent of bank customers use online banking. Add this all together and that crook has more than enough information to raid the bank accounts of enough folks to make his day and ruin theirs.
It doesn’t take just a fake website to accomplish this kind of phishing expedition. There are thousands — probably tens of thousands — of web operations that require user sign-ons but don’t do anything to protect the user database from being stolen by employees. “We’re not selling anything,” they tell themselves, “so it doesn’t matter.”
It matters.
Half my credit card accounts now require me to go through an elaborate e-mail validation scheme if I try logging in from a new IP address or from a computer lacking the proper cookie. Half don’t require this. The half that do were probably the targets of some huge and successful crime spree — a spree we never heard of because it was never made public. Billions of dollars are ripped off this way each year from banks and other financial institutions but we never hear about it because that might encourage more crime.
So CHANGE YOUR DAMNED PASSWORDS and put an end to this kind of scam. Perhaps remembering new character strings will help to stave off Alzheimer’s.
At any given time, I have about three different passwords. One for sensitive financial-type stuff. One for things like e-mail accounts. And one for stupid BS I don’t care about. The first two types, I change routinely. That last type, I almost never change; but at the same time, I don’t much care if you can access anything stored under that password.
The reason people DON’T change their damned passwords is because every ridiculous community newspaper and local TV news station wants you to register to access their website and you end up with 5,000 freaking different registrations. If I changed my passwords I’d need a huge notebook just to keep track of them all.
Comment 11/19/2007
I’d like to see wider use of systems like the one my company uses for external access to the corporate intranet. The login password consists of two parts: the first part it a fixed string akin to a traditional password. The second part is a string of eight numbers that change every 30 seconds, and which I have to read off of a keyfob device containing a pseudo random number generator synchronized with a similar one running on the authentication server.
The great feature of this is that if my password were ever compromised, they only have 30 seconds to make use of it.
Comment 11/19/2007
Currently at least 10 passwords, minimum 6 digits (some minimum
, alphanumeric, forced changes every two months, no repeats for 5 changes (can use the same password once every six or once a year). Scary thing is I can remember all my passwords all the time but I can never remember my phone # or my cell #. Amazing.
Comment 11/20/2007
Will someone please tell me what’s going on here. It really doesn’t matter if we change our passwords or not. As a matter of fact I already have your information. Another thing is why do you have a password for stuff you don’t care about. If you didn’t care about it then why even go through the hassle. I think that the only way to stop identity theft is to steal the thieves identity. That way when they steal our identity then all their really doing is becoming themselves again. It’s a complicated cycle that I like to call thieving the thieves. Think about it they will break into their own bank account or sell their own info to another crook and basically put themselves out of business. I know it’s a long shot right. If you said yes it is a long shot then you were wrong. Let me break this down even more for you. A lot of people steal but they usally start small and become more brave. So how about we make all the small stuff big and the big stuff small then when they get brave they will actually be stealing nothing. Oh yeah and one more thing all my passwords have passwords in which a password is required to get to the second password which is needed for the main password.
Comment 11/20/2007
Great post, Jim.
Here’s my attitude, it doesn’t stand up to logical scrutiny when extrapolated to other “risks.” But, I don’t really give a shit.
You can worry about these things, and take reasonable steps to protect against them. That may or may not actually translate into being more secure. I’ve left my car unlocked many times, I’ve also had my car broken into several times - not once when it was unlocked though. So, I think it is kind of random. You can inconvenience yourself moderately on a constant basis in the form of changing passwords, keeping track of them, and worrying, and hope that doing so protects you against shit happening. Or you can just say fuck it, and agree to a theoretical, but still probably insignificant increase in the likelihood of shit happening, and come to terms with the fact that if it does, you are going to pay that inconvenience bill in a lump sum.
Now, I understand, that by this logic I could justify not practicing safe sex, for example. Of course, the safest sex of all is masturbating to computer porn… purchased with somebody else’s credit card info.
But seriously, in the age of the internet, this is just a risk you take. I think the means of protection against such risk are more for the peace of mind of the person than they are a legitimate protection against the said act.
I have another question, but it is a totally different angle, so I’ll make another post for it.
Comment 11/20/2007
To what extent is this kind of advice blaming the victim?
To what extent is saying, you should be changing your password every three months akin to saying, women shouldn’t wear short skirts in bars?
Now, I fully understand the practical notion that having the high moral ground isn’t really worth anything to the victim of a crime. If a guy walks through the ghetto with expensive jewelry (let’s call him Mephon Starbury), he is increasing the likelihood of being violated. That however doesn’t make it any less wrong if somebody actually does rob him. Yet, that doesn’t mean shit to Mephon, who is still out a platinum chain and a starting point guard gig.
But, it is interesting that it is okay to give this advice in some forms, but not in others. Take three examples.
Not changing your passwords increasing the likelihood of identity theft.
Wearing a Rolex while walking through the projects increasing the likelihood of being robbed.
Dressing like Lil Kim and getting drunk at a Frat party increasing the likelihood of getting sexually assaulted.
I doubt anybody would take issue with framing the first relationship was referred to as, the non-password-changer “inviting” the theft. In fact, many pieces do implicitly treat this phenomenon in this way. Articles that deal with identity theft protection would be construed as offensive if they were written the same way, but about rape protection. Don’t I have the freedom to have a password of 123ABC (that’s my real password guys, so let’s keep that quiet)?
All three are violent and potentially traumatic crimes. In all three the victim may have made him/herself more attractive to the perpetrator in some manner. At what point does it become acceptable to claim the victim should “know better.”
Doesn’t this all just come down to an individual assessment of risk being pitted against their desire to, have an easy to remember password, floss their ice, or look desirable?
I have a lot of thoughts about this, does anybody else want to chime in here. I think it is a rather fascinating example of semantic and sociological dynamics.
Comment 11/20/2007
digg:
I don’t view the advice as blaming the victim. I view it rather like the old joke about the two guys running from the bear: I don’t have to outrun the bear, I just have to outrun YOU. My house doesn’t have to be impossible to break into — just more of a pain to break into than my neighbor’s.
There’s something to be said for the idea that if someone wants your info badly enough, they can get it. That doesn’t mean you have to make it easy for them. The determined criminal will get what he wants no matter what; but most of them will aim for the low-hanging fruit. It’s perfectly rational to try NOT to be the low-hanging fruit.
Comment 11/20/2007
TG,
I’m not bashing the post, I just think it posing some interesting questions, semantically.
Would you feel comfortable making the same analogy to a woman heading out to a frat party with a low cut blouse on? Would you advise her to avoid being the “low hanging fruit”
Provide your own gay joke.
Comment 11/20/2007
Frankly, I’d advise against going to the frat party at all, irrespective of dress…
And more importantly, I’m disturbed by your seeming inability to differentiate between recommending taking reasonable precautions, and accusing those who fail to take them as somehow “asking for it.”
Comment 11/20/2007
Tgirsch
I think you misread digglah. I think his point is not that its bad to recommend taking reasonable precautions its that, as in the case of people who say “well, she shouldn’t have dressed like that” is that whats being sold as reasonable should be considered reasonable. It can be argued that the larger fault is the combination of piss poor security and no reporting requirements combine to create a situation where the users are being asked to shoulder too much of the security burden.
Comment 11/20/2007
Digglahhh:
None of those comments are bad as advice for avoiding crime. All of them are bad as explanations for crimes after they’ve occurred.
And, in that latter respect, the last two, and especially the last one (about women’s appearance) can overlap with or reinforce attitudes of indifference to certain people’s oppression. In fact, that women behave “suggestively” is often used as an explicit excuse for their being assaulted or abused - and that is offensive. The problem is that the expression of advice on avoiding crime can often sound the same as the ascription of blame for crime. So, it’s important to be careful how we distinguish the two.
Saying: “don’t do this and you’ll be safer” implies “doing this makes you less safe” which implies “doing this results in crime” which implies “doing this causes crime” which implies “the person who did this caused the crime” which implies “you caused the crime against yourself” which implies “the criminal is not the cause of the crime - you made them do it” which implies “the criminal is not to blame for victimizing you - you are to blame for causing your own victimization”. Avoiding that slippery slope of implication requires carefully distinguishing both sides of each implicative step - making your comments in such a form that it’s clear you don’t mean that the mere fact that you can reduce the likelihood of crime means that you yourself are responsible for preventing criminals from acting criminally toward you.
No one is ever responsible for another person’s abuse of them. No one is entitled to rob you because you don’t lock your car, or assault you because of the way you dress. The fact that it is easier or more attractive to them to do so, depending on how you behave, does not absolve them of responsibility for their own behavior. So it’s perfectly reasonable to give people advice on what does or doesn’t increase the likelihood of criminals abusing them, but it is not reasonable to say that they are at fault for the crime for not taking those precautions. And, again, because blaming the victim is such a common defensive strategy, especially in cases of crimes against women, it is important to be very clear, when discussing crime-prevention strategies, that you are not doing that. Since blaming the victim is not usually employed by defenders of identity fraud, the issue is less fraught in that case. But the basic principles - that it’s prudent to protect yourself, and that criminals bear responsibility for their actions whether you do or not - apply in both cases.
Comment 11/20/2007
Thanks, KTK, I’m glad you contributed.
I want to make it clear, that I am making a point about language, social dynamics, and perception.
I don’t blame anybody for being the victim of any of these crimes. Not somebody who hasn’t changed their password in decades, not somebody who leaves the Hope Diamond unattended on a park bench in a Camden, New Jersey housing project, not a porn star who passeds out from too much smack, naked in a all male prison with her pubes shaved into the shape of an arrow.
A couple of things strike me about this dynamic.
1. It seems completely common to fabricate the threat of identity theft - it is still an unlikely happening.
2. It seems completely common to write pieces advising precautionary action in a tone of, you must be an idiot if you don’t do x,y,z.
3. It seems that of the types of crime I mentioned, identity theft is the one for which the highest prevention burden is placed on the would-be victim, which implies that doing nothing invites the act (to a greater degree than doing nothing to protect yourself would invite the other acts I mentioned). Ironically, though, it is the one for which the victim is least often actually blamed.
If I told my mother that I got my identity stolen, she would ask me immediately if I had a firewall, etc. If she told me that she got raped, I wouldn’t ask her if she was wearing a halter top! FTR, I don’t believe my mother actually owns any halter tops or knows what a firewall is.
Comment 11/20/2007
I think we all agree there are people who are actively trying to steal using electronic means, so taking password precautions is akin to locking your car door. It is acting to deter crime.
I am not aware of proven existence of people who are actively trying to rape women dressed in revealing clothing. Is there any proven correlation between rape and clothing? I have not heard of any. Thus, altering ones dress does not act to deter crime.
In one case, the victim’s action makes the criminal’s job easier, in the other case it does not.
(As for the bear reference above, a long time ago I worked for a company that did ice strength experimentation out on the ice sheet off Prudhoe Bay. Every party the went out on the ice had to have an armed guard with them for polar bear protection. On one very clear day, a guard decided to leave his rifle at the base and only brought a sidearm. One of the guys asked him if his weapon would really stop a polar bear. He replied that if a polar bear charged, he did not intend to use the weapon on the bear, but rather on one of us.
Comment 11/20/2007
I think KTK’s comment is the most apropos. But I should clarify that just as suggesting basic precautions doesn’t imply fault on the part of victims who haven’t done taken such steps, neither does the ability of someone to take such precautions absolve the criminals of their responsibility. And more importantly, in the case of identity theft, it doesn’t absolve the keepers of our data of their responsibility to protect it.
Comment 11/20/2007
Ted,
That is a great point - and that is in fact a big difference. That’s part of the reason why I mentioned that this is about perception, as well as language.
Now, I ask for evidence supporting the idea that the majority of cars that are stolen are unlocked, and the majority of identity thefts can be attributed to insufficiently frequency of password changing. I bet the numbers are barely significant - though it sounds good.
Right, like if I bought two lotto tickets, my chances to win would theoretically double. But, your chances of winning are so low in the first place, that doubling them doesn’t even make a statistically significant difference.
To what extent are we inviting, or increasing the likelihood that we will be a victim of crime by engaging in the type of behavior that we are told increases the likelihood of that crime? In regard to specific crimes/behaviors is it okay to imply that the correlation is stronger than others? Do the way we frame those correlations reflect statistical reality, our fears, gender/racially based stereotypes, etc?
I’m unconvinced that anything beyond the most basic of common sense matters to a degree that makes it worth even the slightest inconvenience.
Comment 11/20/2007
A quick search came up with eight references on car thefts and locking doors. 7 of 8 said about 50% of all car thefts occur when doors are left unlocked, the 8th claimed the rate is 80%.
As for your lottery analysis, your chances of winning do not just double in theory; they double in practice as well. And it does make a statistical difference. If you take a pool of 1,000,000 lotto participants and have each one buy one ticket, and another pool of 1,000,000, each buying two tickets, on average the pool buying two each will “win” twice as much money as the pool buying one. I put win in quotes because also, on average, the pool buying two tickets will lose twice as much money when winnings and ticket purchases are combined into pool P&L statements. Which I guess is why I have never purchased a lottery ticket. But I do lock my car doors and I never wear halter tops.
Comment 11/20/2007
Yes, you double your odds in theory and in practice. But, your are still probably more likely to get hit by lightning than win the lotto. You could buy one, two, five, ten, lotto tickets a day and the odds of you winning are still so low that you might as well wipe your ass with the money and try to sell the footage to an aspiring rapper for his video. So, you helped yourself in theory, but not to a level that is statistically significant in degree. You know, like if Christian Guzman got to begin all his ABs with a 2-0 count.
I’m going to draw everybody’s attention to the disclaimer I originally made about my approach to self-protection, they may not at all be rational. In fact, they may be nothing but contrived justifications for my laziness. It’s still my story, and I’m still sticking to it.
Actually, my neighborhood was so bad as far as car thefts and break-ins that at one point it was common for people to leave their cars unlocked just so the thieves wouldn’t break the windows to get in.
If you are still reading, now the dividends come because this is a ridiculous story that I guarantee is true. My father left his car unlocked for years. At one point, a homeless man lived in his car, part-time. The guy didn’t steal anything, and nobody would break into my fathers car with a man sleeping in it. The guy would find the car when my father parked it and sleep in it in the winter, when my father would leave for work in the morning, the homeless man would thank my father and kindly get out of the car. This happened at least three times a week for about two years. The car was an absolute shitbox though. But, still, pretty damn funny.
Comment 11/21/2007