Against the Grain

Volume 19 | Issue 2 Article 38

April 2007 Drinking From the Firehose -- Too Many Passwords, Too Little imeT Eleanor I. Cook Appalachian State University, [email protected]

Follow this and additional works at: https://docs.lib.purdue.edu/atg Part of the and Information Science Commons

Recommended Citation Cook, Eleanor I. (2007) "Drinking From the Firehose -- Too Many Passwords, Too Little imeT ," Against the Grain: Vol. 19: Iss. 2, Article 38. DOI: https://doi.org/10.7771/2380-176X.5078

This document has been made available through Purdue e-Pubs, a service of the Purdue University . Please contact [email protected] for additional information. Drinking From The Firehose — Too Many Passwords, Too Little Time Column Editor: Eleanor I. Cook (Appalachian State University, Boone, NC)

he number of passwords that the average what. The only personal codes I don’t have the best passwords are the hardest to remember librarian must have at his or her finger- to write down to remember are: My social or figure out — it’s rather thatDr. Cazier has Ttips has grown by leaps and bounds in security number, my home and work telephone actually demonstrated this in an empirical way recent years and there is no end in sight. This numbers, and my ATM PIN. I also can usually that can’t be ignored. is a fact of life and we must find a way to recall my main email user name and password In one study, Joseph Cazier and Dawn manage them better. I suspect there are many and my library ILS username and password but Medlin used a real data set of customer pass- people in other professions facing a similar I use these everyday and I have these written words from an e-commerce system to analyze challenge. IT system administrators and bank down in the same place I have all the other the strength of the passwords. They were able managers and well, just about anyone who codes I’ll never remember, because I believe to crack a majority of the passwords in a rela- shops or pays bills online with any regularity it is my responsibility to make sure that if tively short period of time.2 In another study will find themselves collecting a hodgepodge something bad happens to me, that someone by the same authors, password choices were of passwords to recall. can get in there if necessary. analyzed by gender and trends for password The experts often say that you should never As a librarian and faculty member at a development were discussed.3 write down passwords. Excuse me? As of this university, I am not held to the same strict If you think you are alone in using your writing, I have 97 unique (almost) passwords security standards as people who work in the children, grandchildren or pet names as — 34 of them are for and shopping private sector. I have heard some interesting passwords, think again. Apparently the most sites, 23 of them are for credit cards and other stories about how strictly passwords are man- popular constructs for password creation personal finance and ID purposes, and 40 of aged out there in the include these categories: family names; fan them are specifically library work-related. “real” world and while names, such as sports teams or entertainment To this latter category I add regularly as it makes me shudder characters; fantasy aspects, including sexual we increase the number of databases and (and wonder); allusions (remember the commercial with the e-journal platforms. Therefore, that advice I can respect guy on the train trying to quietly tell the per- is completely unhelpful to me, as there is their need for son on the other end that his password is “big no way on this earth I could possibly keep more security boy”?) and then finally, cryptic combinations, up with this many secret codes, no matter in some cases. which is what is considered the best practice But so often, for development of passwords. In addition, the companies are categories of “Faith,” “Place,” and “Numbers” moving the li- figure prominently in the way people develop ability back onto the individual, so not to have passwords.4 Library Marketplace to take the heat. Why is it a problem to use these kinds of from page 81 With identity theft such a serious problem, passwords? They are easy to guess and the what are we to do? In order to explore this topic people trying to guess them are using many column on “sleepers” in used bookstores. You with more rigor, I decided to do a little research. clever ways to get at your passwords. Besides will be surprised at how much some seemingly I found a number of articles in the popular lit- running software programs looking for com- common are selling for. erature about the way passwords are developed mon passwords (which is one method) another and what the best practices are, but this did not Bibliophile Bullpen they recently listed all disturbing but growing method is referred to satisfy me completely because some of the as “social engineering.” Social engineering is of those “unlisted” 800#’s for customer service advice was the same old thing — don’t write at places like Amazon. the term used when sensitive information is them down, and make them unique and hard to obtained simply by asking for it — sometimes Bookstore (http://bookstoretour- crack.1 Ok, I sort of know this intuitively, but directly but other times under the guise of some ism.blogspot.com/) What a great site! Larry it is too difficult to do this, right? We are all other inquiry for which the victim doesn’t Portzline’s passion for books shows through lazy about the way we develop our passwords, understand the real purpose. in every post. Recent article included one on but does it really matter? 5 the founding of some new “ Towns” and a In an article soon to be published, Cazier But then, I met someone who changed and Botelho report on a study they conducted discussion of the merits and demerits of writing my thinking entirely. A colleague of mine in the margins of one’s own books. recently in a metropolitan area. They set up at Appalachian State University has done a table in front of a large financial institution And last, but not least, Insider, some really interesting research that captures in a downtown area. Presumably, individuals the blog of Carl Lennertz at Harper Collins. the essence of the problems we face with the working at such a company would have re- His site is notable for its “insider” approach world of passwords. Dr. Joseph Cazier has ceived a modicum of security training concern- and also for its great set of links to even more several scholarly articles already published ing passwords and the like. The researchers blogs. The universe of book and literary blogs concerning password security issues and in his did not hide where they were from or what is an important way to stay in touch with the most recent study he has demonstrated some they were doing — they identified themselves real thing, books. disturbing trends in the behavior of every-day as university researchers and said that they And just for fun, check out these book citizens that points to the real need we all have were conducting a study about passwords. related film clips on YouTube: “Introducing for being more careful about how we construct They asked people if they wished to fill out Le Book,” “Signed 1st ,” “March of the passwords that serve as barriers to our most a survey and offered them candy, and also a the Librarians.” sensitive personal information — our bank chance to win a free dinner at a local Special thanks to Kevin Hanover at Da records, our email accounts, our financial and for completing the survey. They then repeated Capo, Christine McCarthy at Merriam- health records, and so on. the study in front of a major hospital (another Webster, Stephen Bozich at H.W. Wilson, Dr. Cazier is certainly not the first person institution where employees are assumed to Bill Kane at Alibris, Rolf Janke at Sage, Jon to explain this to me, least my systems col- have a higher than average understanding of Clayborne at Elsevier and Adam Chesler at leagues at the Library feel slighted for essen- security issues). They also repeated the study the American Chemical Society for their help tially telling my coworkers and me the same with a population of students. and suggestions. thing. It’s not that I didn’t already know that continued on page 83 82 Against the Grain / April 2007 choose from completely ridiculous. But that’s Drinking From The Firehose just me — maybe some people like this system. from page 82 For this account, I pay my bill the old fashioned way — through the U.S. mail! MAKINGMAKING AA An amazing number of people actually Another financial institution I use has built shared their actual passwords with the research- in a series of questions to serve as a security ers! In addition, most survey respondents wall in the case that someone unauthorized freely shared other personal information with tries to access your accounts. Besides the BIG IMPACT the researchers even if they did not actually BIG IMPACT well-used question, “What’s your mother’s give them their passwords — this information, maiden name?” this institution also includes a such as their names, addresses (for the purposes set of three other questions — things that only Frontiers in Ecology of the drawing for a free restaurant meal) and you know, and they give you three choices at other identifying information could have been all three levels. For example, if asking my and the Environment easily used to guess at their passwords. favorite color or favorite sports team means The fact that such information can be nothing to me, I can still say indicate the name Over the past year, g r o y. Frontiers og l o c e n i s r e i t n ro f w. w w gleaned this easily made me pause when think- of my elementary school. That question has has seen a large increase in ing about the way we manage our passwords. an exact answer for me, although it might not This has me seriously rethinking my approach for someone else who moved around a lot as a institutional subscriptions to my password problem — it’s true that there child. By giving three options for each of the as well as receiving an is no way I can remember them all, especially three questions, it is more likely that at least excellent impact factor if I develop “strong” passwords that are hard one of the questions in each set will pertain to (4.745) for a journal that to crack. For example, the password a!s@ any given individual. This is complicated but is only four years old. d#f$g%h^ would certainly be harder to crack also possible to manage. than fluffy999, for example. However, even As for where to write this stuff down — it’s a!s@d#f$g%h has a pattern to it — it is a series With its timely, cross-disci- clear that we will have to start doing this, but plinary science, accessible of letters and symbols based on the standard how to manage that? It used to be if thieves keyboard and anyone could use it (which broke into your home they might first go for the writing style, four-color means a clever cracker could figure it out too). jewelry and appliances such as TVs and DVD graphics, and visually A colleague of mine suggested a method for players, the family silver or other valuables, but appealing format, the developing passwords based on the LC clas- now they might be looking for bank records, journal has been welcomed sification system. You can use call numbers social security numbers and the like. A crook from your favorite books as passwords. This might take the hard drive of your computer first by scientists from a wide idea is intriguing because you could create a nowadays. This seems to be a logical place range of disciplines, as well code for referencing your passwords without to start in some cases. If you keep your list of as by resource managers, actually telling anyone the actual password. passwords in a file on your computer, can spy educators, and students. For example, if you have a list of passwords ware or ad ware invasions get to it? Probably you could note: Agony & Ecstasy (for your not, but that does not mean it’s not vulnerable Citibank credit card) but only you would know to theft. As the news media has shown, people Visit: that the real password is PS3537.T669A38. all over the country are taking hard drives or www.frontiersinecology.org This definitely appeals to the librarian in me! laptops home with them that apparently have And of course if you are more comfortable large files of sensitive information on them and see for yourself. with the Dewy Decimal system, you could (Why? I have to wonder). use that too. And you could take this concept Frontiers sets itself apart and apply it to other systems of numbers and So if you need to list out your passwords from other scientific journals, letters, I suppose. The point being that you somewhere where you can get to them, you need to do it in such a way where you can but delivers the same high- need to come up with something creative and quality, peer-reviewed hard to guess. remember what it is with some prompt, and use other tricks that no one knows There are a number of Websites that provide literature as the best of them. (or maybe just one other person knows). At And at only $220–240 for a random password assignment, but that will least one other person in your family you trust have to be another whole column to discuss should know that these things can be found U.S. institutional subscription, these. In addition, there are a number of pass- somewhere. After all, if you are hit by a hay it’s great value for your money. word management software packages out there. truck or drop dead of a heart attack someone Again this needs further exploration. (And if needs to know how to cancel your accounts. you have come across something you like in They might not need your passwords to do Contact your subscription either of these areas, contact me!) this, but they need to know where you even agent or ESA Headquarters Banks and other institutions collecting have accounts. sensitive information about you (health care Another development that is on the horizon at 1707 H Street NW, systems, insurance companies, etc.) continue and is actually being used in some places is a Suite 400 to be challenged by these problems. Some of fingerprint-based device. Known as “biometric their solutions are not very helpful though. In identification,” grocery stores and financial Washington, some cases they build too much complexity institutions have started using this to some DC 20006 into the system and make it even harder for degree. This eliminates the need to remember normal people to access their accounts. A an actual password since bodily attributes Fax: recent example: one of my credit card provid- identify you instead. Iris-scanning systems, 202-833-8775 ers decided that they wanted to build another reminiscent of the movie Blade Runner are layer of security into their system and asked not far behind. Since there are essentially their customers to pick an image from a set three methods of multifaceted identification: of pictures to use as another layer of privacy. Something you know (passwords); Something Apparently they concluded that such a system you have (a key, a pass card or other object); would be useful, especially to those people or Something you are (your finger print, the who are visually oriented. I totally rejected this iris of your eye), some institutions trying to esa system as unworkable for me — I am esa protect your privacy are implementing systems visually oriented and found the pictures to Promoting the Science of Ecology continued on page 84 of personal item theft (wallet, handheld, etc.) Drinking From The Firehose you need to take immediate action. The bet- from page 83 ter you protect your passwords by keeping Thanks to: Tom Bennett, Joe Cazier, them hard to crack and written down in safe Adam Jordan, Megan Johnson, and Jan- that use all three of these. Of course, whether and encrypted fashion, the less your life will ice Keim for their feedback on this article. this makes your life simpler or more compli- be disrupted. More on this in a future column — EC cated is a good question. These systems are — for now, it’s time to make those passwords Big-Brother like, and even now, with so much more secure! of our consumption happening through ATM cards and debit systems, anyone you do busi- ness with (and possibly the government) can Endnotes track your every move. 1. I looked at the following articles: Harrison, Warren. “Passwords and Passion,” IEEE Software, Maybe I should get rid of all those pass- July/Aug. 2006. words and just pay cash! Unfortunately, I still Kandra, Anne. “Manage Passwords Safely – and Simply,” PC World, April 2003. have to have all those work-related passwords Lewis, Peter. “Let Your Fingers Do the Locking,” Fortune, Jan. 24, 2005. so I can get into the staff side of the ILS, my Locke, John. “Smarter Password Management: How to Handle Your Passwords Without Getting email account, and the ever-increasing number Lost,” Free Software Magazine, 2/10/2005. http://www.freesoftwaremagazine.com/articles/pass- of e-journal platforms and the like that demand wd_management/ I create a user name and password as an account Metz, Cade. “Password Managers & Form Fillers,” PC Magazine, May 24, 2005. administrator. Argh, no winning on that one, Password Management Best Practices / M-Tech Identity Management Solutions — http://mtechit. and no end in sight! com/docs/user-provisioning-best-practices.pdf As my friend Megan says, we are overtax- Regnier, Pat and Sahadi, Jeanne. “Defend Your Virtual Home,” Money, Dec. 2006. ing our syntactic memory (don’t you just love 2. Cazier, Joseph A. and Medlin, B. Dawn. “Password Security: an Empirical Investigation into that). But since organized crime is getting E-Commerce Passwords and Their Crack Times,” Information Systems Security: The (ISC)2 Journal, into identity theft schemes these days, not just v.15, no.6, pp.45-55. bored teenaged hackers, it’s time we take this 3. Medlin, B. Dawn and Cazier, Joseph A. “An Investigative Study: Consumer Password Choices seriously. Risk management is a big deal these on an E-Commerce Site,” Journal of Information Privacy & Security, v.1, no.4, 2005, pp. 33-52. days. In order to mitigate that risk, it’s best 4. Medlin & Cazier, Ibid, p.40. not to travel into “bad” virtual neighborhoods 5. Cazier, Joseph A. and Botelho, Christopher M. “Social Engineering’s Threat to Public Privacy,” — porn sites and other fly-by-night Websites to be given as a paper at the 6th Annual Security Conference, Las Vegas, NV, April 11, 2007, http:// www.security-conference.org/ and also has been submitted for publication. considered risky in terms of viruses and other types of scams. If you are the unlucky victim

Lead, Follow, or Get Out of the Way: Management Succession in Libraries by Rick Lugg and Ruth Fischer (Partners, R2 Consulting, 63 Woodwell’s Garrison, Contoocook, NH 03229; Phone: 603-746- 5991; Fax: 603-746-6052)

uring a recent R2 project at Carleton e-resources workflow. The next, I was mentally “Are we in the way?” College in Northfield, Minnesota, I transformed into “boomer dude,” scrambling Libraries are good places to work, and Dinterviewed Chris Sinkler-Miller, to keep up with a smart Gen X-er, and trying boomers are staying longer in key positions, the Periodicals/E-Journals Specialist. Chris not to show it. It’s a moment lots of us are sometimes settling in and making them aw- manages SFX for the Bridge, a catalog shared facing right now. fully comfortable. Consider these statistics, by Carleton and St. Olaf College. She has At Sea-Tac Airport, headed home from drawn from Stanley Wilder’s excellent “De- obviously mastered the SFX knowledgebase, ALA, I had a related conversation with a thirty- mographic Change in Academic Librarianship” linking, e-resource cataloging and holdings something hot-shot who ranted about impend- (Washington DC, Association of Research maintenance — all those tasks that help users ing retirements in libraries and at vendors: “All Libraries, 2003.) find the electronic content they so desire. these gray-hairs keep talking about retirement • In 1986, 43% of ARL Directors were un- At the time we spoke, Northfield had just — well, stop talking and just go, already!” der 50 years old; in 2000, a mere 5%. experienced a world-class hailstorm, with the Within a week of that, while viewing the natu- • In 1985, 44% of Directors had more than Minnesota sky dropping ice bombs “the size of ral history “March of the Librarians” (http:// 24 years of professional experience; in grapefruits,” and causing massive damage to www.youtube.com/watch?v=Td922l0NoDQ), 2000, 86% boast such longevity. roofs and vehicles. Most staff members were I was forcibly struck by the gimpiness, gray- The very idea that someone in her late driving rental cars, and Chris was no excep- ness, baldness, and generally slow pace of thirties or early forties, with 10-15 years of tion. Her temporary ride was a Chrysler PT our tribe. experience, would take over as the director of Cruiser. Personally, I got a kick out of these Wake-up calls are flooding the switchboard, a major library seems almost incomprehensible slightly quirky vehicles when they first came folks! We really are getting old. And while to us now. When discussing promotions or suc- out, and made an innocuous remark to this ef- we can and should argue that experience brings cession with library administrators, the phrase fect. Chris replied, “I hate it. It context and clarity; we most often hear is “she’s not ready.” makes me feel like a boomer.” that years bring per- There’s often some truth to this assertion. So there it was, my “mo- spective and political skill; and that active In recent years, our profession has witnessed ment of Zen”, to borrow Jon a flattening of library organizations, resulting Stewart’s phrase. One moment, aging brings judg- ment and balance, in fewer middle management positions. There we were professional peers, are some missing rungs on the old career lad- looking for improvements in the we also have to ask ourselves honestly: continued on page 85 84 Against the Grain / April 2007