ADVERTISEMENTS

PLUGGED IN
Internet identity crisis

By Simson Garfinkel, 2/3/2000

lthough computers are supposed to make it easier to manage large quantities of information, lately I've been running into problems because I am not very good at memorizing user-names and passwords.

This ironic little conundrum is the result of poor planning on the part of the Internet's designers and the burgeoning world of e-commerce.

If you try to do just about anything interesting on the Internet today, sooner or later some company is going to ask you to create a user-name and a password. The user-name is supposed to identify you. The password, meanwhile, is used for authentication.

Using both an identifier and authenticator is a lot more secure than just using an identifier. You can call my bank on Martha's Vineyard, for example, and if you give them my Social Security number, they will give you my account balance. If you know my Social Security number, then you must be me. Unfortunately, having just one layer of screening is one of the reasons there have been so many cases of identity theft in recent years.

Things are considerably better on the Internet. User-names are widely known - they are part of e-mail addresses, after all - so the Internet's early designers realized that it would be a good idea to give each user a password as well. If you keep your password secret, the theory goes, then nobody can use your account or access your private data.

Simple user-name and password security works pretty well. In fact, it works so well that many people now have a plethora of user-names and passwords that they need to recall on a daily basis. For example, there is a user-name and password that I need to access my Windows 98 laptop computer. My Internet service provider also assigns me a user-name and password. My AOL account has another user-name and password, and so on.

Good passwords, we are told time and time again, should be hard to guess. But they also should be easy to remember. One thing that is particularly annoying about today's plethora of passwords is that many companies use different rules for what makes an acceptable password. Some require a combination of letters, digits, and symbols. Others require letters and digits but prohibit the use of symbols. Some particularly obnoxious Web sites require that I use both upper-case and lower-case letters.

Adding numbers and symbols makes a password harder to crack. These days, miscreants don't actually guess passwords. Instead, they use dictionary attacks - that is, they try every word in the dictionary, forward, backward, and with the digits 0 through 9 added at both the beginning and end. You actually can download software from the Internet that will try to break into a Web-based account using this approach. With a cable modem, you can try perhaps 20 passwords a second. Words that aren't in the dictionary, multiple digits, and symbols foil the attack.

People use different strategies for coping with the large number of user-names and passwords that they are forced to remember. Some use the same user-name and password everywhere. This is generally a mistake: If untrustworthy types discover your user-name and password, they can cause a lot of problems.

Another common approach is to use the same user-name at every site, but to use a password that depends on the site's Web address. For example, a person might use the password ''yahoo4533'' at Yahoo Calendar.

Yet another approach is to have a low-security password that's used on most Internet sites, and then to have a series of high-security passwords for the sites that actually involve money.

A more secure approach is to use a different password at every Web site, and to store the passwords themselves in an encrypted vault. One of the very best Windows 95 programs in this category is Counterpane System's Password Safe, which you can download for free from the company's Web site, http://www.counterpane.com/passsafe.html. Password Safe will remember a different user-name/password combination for every service you visit.

When you first start up the program, you provide an encryption pass-phrase that is used to scramble the passwords you save. After you store a password, it will just show the services' names and your user-name; double-click on the entry and it copies the password to the clipboard. Once copied, you can paste the password into a Web form or application program by simply typing control-V. Even if somebody is sitting next to you, they won't see your password. Password Safe hides the password, but if you need to see it, you can make it appear by clicking another button.

Microsoft's Internet Explorer 5.0 also can store passwords in an encrypted area called the Protected Storage System Provider. While this system is convenient, it isn't as secure as Password Safe, since it uses weak encryption.

It's also easy to lose your password with Internet Explorer, since you can't actually see the list of passwords that have been memorized. For this reason, even if you have Internet Explorer, memorize your passwords; you still might want to use Password Safe to store a second copy of your critical information.

In the future, user-names and passwords might be replaced by smart cards. Your personal information is stored on a credit card with a tiny chip rather than on your desktop computer's hard disk.

But since PCs today aren't being sold with smart-card readers, widespread adoption of this technology is years away. And smart cards have competitors as well. One particularly intriguing matchbook-sized device is sold by Rainbow Technologies. Called the iKey, it works like a smart card but plugs into a computer's Universal Serial Bus, or USB, port. You can find out more about it at www.rainbow.com.

Whatever happens in the future, one thing is sure: We're going to be stuck with user-names and passwords for a long time.

Technology Columnist Simson Garfinkel can be reached at http://chat.simson.net /.

This story ran on page D04 of the Boston Globe on 2/3/2000.
© Copyright 2000 Globe Newspaper Company.