Keeping Secrets: Password Dos and Don'ts

By: Source: Date Posted:

Need another reason to guard your computer passwords? It's possible they could be cracked by eagle-eared identity thieves using a high-tech microphone that detects sound through glass.

“Depending on its keyboard location, each key emits a different sound—in much the same way a bongo drum does,” says computer scientist Doug Tygar of the University of California at Berkeley. These differences go unnoticed to the untrained ear, but Dr. Tygar and his colleague Li Zhuang used a $10 microphone to record keystrokes, then ran the sound of each through a software program originally designed to recognize human speech. By the third try, the program identified 96 percent of typed characters.

When assigned to decipher the keyboard recording of a 10-digit password, Dr. Tygar's doctored software came up with 75 possibilities. “That means if we tried all 75 passwords, we could break into that user’s account. 

“I cannot say this is being done, only that we have done this in the lab. We hope our experiment persuades manufacturers to produce keyboards that mask these sounds.” Given the easy availability of laser microphones that can record sound through windows across the street, Dr. Tygar is already tackling that task himself.

To keep your passwords unknown—and unknowable—follow these pointers:

  • Do combine parts of two unusual, unrelated words, such as “gastrocumulus” or “cytoplasticity.” The longer and stranger the better. 
  • Do mix capital and lowercase characters, as well as symbols and numbers, in the middle of the password: f2reeDoMeYe#wTness, not freedomeyewitness.
  • Do use words from a foreign language in combo with an English word. Many hackers try to crack passwords with common words, or with those pooled from the dictionary database of a single language.
  • Don't use anything that can be easily guessed by neighbors, coworkers, or strangers who get their hands on your wallet—a nickname, child’s name, pet’s name, or your favorite sports team or hobby.
  • Don't use slightly different versions of the same password on different Web sites, such as ABCebay, ABCmortgage, and ABCvisa.
  • Don't pair a common word or your name with a different character at the beginning or end, such as $user or johnsmith7.
  • Don't use the same password from one application to another. “It’s fine to have a simple, short password on a news Web site,” says Dr. Tygar. “But use a different, longer, more complicated password on a site with sensitive information.”

From "Scam-Proof Your Life: 377 Smart Ways to Protect You & Your Family," by Sid Kirchheimer, 2006, p.  262.

More Articles on Consumer Information »

Comments

preview