by Paul Salzer
When you were younger, did you ever read The Adventures of Ali Baba and the Forty Thieves? Great treasures were magically revealed once the phrase, “Open Sesame” was spoken before the Cave of the Forty Thieves. Nowadays, treasures of a digital nature are protected in much the same way. But instead of precious gems and oils, passwords protect sensitive data such as credit card numbers and business documents. Let’s take a moment to explore the not-so-magical world of passwords and access prevention. And hopefully, together we will gain a greater appreciation for password protection.
Let’s start by looking at what defines a password. Merriam Webster defines a password as, “a spoken word or phrase required to pass by a guard” or “a sequence of characters required for access to a computer system”.[1] Passwords have been around as a way to grant access to secure areas long before computers were invented. In ancient times, sentries would grant access only to requesters who knew the password.[2] Today, programs and computer commands have replaced these guardian sentries. The basic premise still holds true though. If you don’t have the correct password, you don’t get to pass.
In the story of Ali Baba, all forty thieves know the password, “Open Sesame”, and any number of them could use it to enter the cave. For this reason, it is no surprise that the door opened when Ali Baba simply uttered the phrase himself. Had the door known somehow that Ali Baba was not one of the thieves; the treasure cave might have remained secure. Our hero however was allowed to enter the Cave of the Forty Thieves because he was only required to have one level of authentication.
There are currently three factors of authentication generally used. They are: Something I have, Something I know, and Something I am.[3] From a credit card standpoint, Something I have is the physical card that I present at time of purchase. Something I know is my pin number or CVV2 number. And Something I am is my signature or thumbprint. From a computer security standpoint, Something I have could be a unique certificate on my computer which validate that the computer is what is says it is or a physical passkey that I carry with me. Something I know is of course a password. Now you may say that Something I am is to a small degree my login name.
But to be really considered Something I am, you usually are required to use something more robust like voice recognition, eye scans, or thumbprint readers. In our story, Ali Baba has the Something I know, which was the phrase to open the door. But what if he needed a special jewel or key that only the thieves possessed to open the door (the Something I have)? What if the magic of the door only worked for the thieves (the Something I am)? Could Ali Baba have entered the treasure cave then?
As it stands, Ali Baba would not have even needed to overhear the phrase “Open Sesame”. Conceivably he may have entered the cave simply by guessing it. Phrases like the one in our story tend to be called simple passwords, because they are just common words put together, which don’t have special characters or numbers mixed throughout. Simple passwords are the equivalent to setting the combination on your bike lock to 1234. Granted, this is far better than leaving it 0000 (which is like not setting a password at all), but eventually someone will open the lock if they take the time to try each number. The more complex you make a password, the longer it will take to try every combination. If it takes longer to break the password than the reward is worth, the idea is that the person will not attempt to do so. So, let us imagine someone standing before the Cave of the Forty Thieves trying random words until the door opened. Now imagine that person is a computer capable of hundreds of thousands of guesses a minute. “Open Sesame” would theoretically come up eventually.
Unfortunately, if we make a password too complex, we run into the problem of forgetting what the password is. In The Adventures of Ali Baba and the Forty Thieves, Ali Baba’s greedy brother Cassim forgets the password and is unable to escape the Cave of the Forty Thieves. As a result, the brother meets a rather gruesome death for his forgetfulness. Granted, we may not have to go through the severity of Cassim’s punishment, but sometime people choose to pick simple passwords to prevent ourselves from forgetting them and to avoid the hardship of having to reset our password. These people are tempted to use birthdates, favorite sports teams, names, pets, movies, or bands as our passwords. [4] There is plenty of helpful documentation around that will help you make a password that is both hard to guess and easy to remember. Just keep in mind though, building your password should be something unique to you and something that you should always keep secret. My recommendation is to combine different methods that you find and periodically change up what you are doing.
Speaking of change, don’t be afraid to change your password periodically as well. It’s recommended that you change your password every 90 days in fact. And if you ever suspect someone has been using your password to get into your “treasure cave,” you should immediately change the password. Then you should monitor the entrance for a while and see if any unauthorized person comes along using the old one. In our story of the forty thieves, our criminals didn’t change the password to prevent Ali Baba from returning. They opted to go after Ali Baba directly instead, but were thwarted multiple times by Cassim’s slave girl Morgiana. Ironically, Ali Baba is left at the end of the story as the only one possessing the password to enter the Cave of the Forty Thieves and the treasures within.
Cited References
[1]Password Merriam-Webster, Inc. http://www.merriam-webster.com/dictionary/password
[2]Password Wikipedia 19 February 2011 http://en.wikipedia.org/wiki/Password
[3]Security-Something I know, something I have, something I am 2007 Financial Alliance, LLC 31 December 2007 http://rhftech.com/hd/security-something-i-know.html
[4] How to get a Hotmail password (I): Trying basic passwords Becoming Paranoid 28 Feb 2006 http://becomingparanoid.com/2006/02/28/hot-to-get-a-hotmail-password-i-trying-basic-passwords/