The Seattle Times Company

NWjobs | NWautos | NWhomes | NWsource | Free Classifieds |

Business / Technology

Our network sites | Advanced

Originally published Saturday, June 6, 2009 at 12:00 AM

Comments (0)     E-mail E-mail article      Print Print      Share Share

Software targets password pickle

Programmers have devised a variety of new products and services to help you conveniently manage passwords and protect your online identity.

San Jose Mercury News

Password tips

1 Use at least seven or eight characters, with numbers, symbols and letters. Random arrangements are stronger than words you can find in the dictionary.

2 Think of a phrase or sentence that you'll remember but others won't know and then take the first letter of each word and substitute numbers or symbols for some of them. "My favorite jacket is at the cleaners" becomes MFJIATC or MFJ1@TC.

3 If you really want to use your dog's name, save it for news sites or accounts that don't contain sensitive information. Use a stronger password for more critical accounts or financial services.

4 If you store your passwords, use an encrypted file or password manager. Don't leave them on your hard drive in an open file labeled: "passwords.doc."


Your dog's name. Random nouns. And who could forget blm457yfp?

Most people who use the Internet know the difficulty of remembering all the passwords they need to check e-mail, chat online, download music and transfer funds. Experts advise against using the same password for multiple accounts, in case it falls into the wrong hands. But all those different sign-ons are hard to keep straight and, even with password-manager software to help, they can be hard to keep secure.

Software makers have come up with several alternatives that you're likely to hear more about in coming months. Already, you can sign on to several sites with a single "OpenID" that you've registered with one provider. You can use your mobile phone to generate a digital "key" that you don't need to remember. You can even click on an encrypted "information card" that might one day replace your passwords altogether.

The technology behind these alternatives has been around for a while. But security experts, programmers and industry groups have struggled to make them convenient for consumers and secure enough to win acceptance from major banks, retailers and other Internet services.

"There's just a big problem with passwords. I can't remember my own. I have too many of them," said analyst Linda Monahan, who studies online banking and identity fraud for Javelin Strategy and Research.

Some basic solutions have been around for years. Most Internet browsers, including Microsoft Explorer, Apple's Safari and Firefox, have "password managers" that offer to remember user names and passwords when the user first signs on to a Web site, and then fill in the blanks automatically on subsequent visits.

The downside, of course, is that the browser will fill in those blanks for anyone else who sits down at that computer. And over the years, critics have identified flaws they say makes browser-based managers vulnerable to hacking.

Some advocates of a more open Internet have embraced OpenID, which allows a user to create an identity at any one of several Web sites and then have that identity recognized at other participating sites.

When you visit any site that accepts OpenID credentials, you either type in a URL or click a link that connects you to your original OpenID "provider." Once you enter your OpenID password, the provider sends you back to the site, and you are automatically logged on.

OpenID has been slow to catch on, although it received a big boost when Facebook announced plans in May to let people sign in to their accounts with OpenID credentials from other providers. Other big companies such as Yahoo and VeriSign have begun issuing OpenID credentials, but most have been reluctant to accept other issuers' credentials on their own sites.

Critics said that's because anyone can become an OpenID provider, so the site that relies on your OpenID credentials doesn't always know who it is trusting.

For users, there's another weakness: Because you must go to a Web site and type in your OpenID password, a malicious person could use "phishing" or other techniques to learn your password, and then access other sites in your name.

Security expert Bob Blakley favors another approach, using a technology known as "information cards." The "cards" are files of encrypted data that allow your PC to have a conversation with a Web site in a process that eliminates typing in names and passwords.

When you visit a Web site that accepts information cards, you click on a link that initiates an encrypted conversation with a special program, known as a "selector," that helps you manage your information cards.

The selector, which can reside either on your computer or online, pulls up the appropriate card and provides the site with a digital signature to verify your identity. You could also use the selector to make online purchases more secure. In that case, the selector may contact a third party — such as a bank — to exchange encrypted data that authorizes a transaction.

Microsoft has built a selector program, CardSpace, into its Vista operating system. Stand-alone selectors are available from two other companies, Novell and Azigo. Google, Oracle and PayPal have joined the industry foundation and there are a few working sample cards available, but no major retailer or financial institution has implemented the system yet.

For those who want to stick with passwords, the Internet company VeriSign has signed up eBay and PayPal, as well as some small banks and credit unions, for a service that promises added security by letting users combine an existing password with a second, digital "key" that they don't need to remember.

Hoping to expand adoption in the consumer market, VeriSign has been offering downloadable software since April that lets iPhones, BlackBerrys and other mobile phones perform the same function. Once you download the application, you can use your phone to generate a six-digit code.

If you've enrolled at a participating Web site, bad guys can't access your account unless they have your password and the code. Each code is valid for only 30 seconds, so no one can reuse it. The program is synchronized with VeriSign's servers; your phone generates a new code each time you need one.

Copyright © 2009 The Seattle Times Company

More Business & Technology headlines...

E-mail E-mail article      Print Print      Share Share

No comments have been posted to this article.

Get home delivery today!

More Business & Technology

UPDATE - 09:46 AM
Exxon Mobil wins ruling in Alaska oil spill case

UPDATE - 09:32 AM
Bank stocks push indexes higher; oil prices dip

UPDATE - 08:04 AM
Ford CEO Mulally gets $56.5M in stock award

UPDATE - 07:54 AM
Underwater mortgages rise as home prices fall

NEW - 09:43 AM
Warner Bros. to offer movie rentals on Facebook