Sun, Dec 26, 2004 - Page 9 News List

Power to the people who can remember their PINs

How can someone remember a PIN when the password has to be hacker-proof?

By William Safire  /  NY TIMES NEWS SERVICE , NEW YORK

Do you remember your PIN number? I vividly remember what PIN stands for -- "Personal Identification Number," which means that "PIN number" is redundant -- but I can never keep in my memory bank the number that unlocks the key to my computer-crazed bank account. I am tempted to write the PIN down and put it in a safe place, but my bank warns me never to do that.

The University of Chicago's Networking Services agrees: "Never write down a password," it warns and adds in a footnote: "If you do this, you should take extreme care not to lose the paper you have written it on. You should destroy the paper (e.g., tear it to shreds) once you have learned the password."

In the old days, I could safely hide my PIN by writing it on the back of the label that hangs underneath my couch. That stern, official label used to say "Do Not Remove This Label" -- but now, while it still proclaims "Under Penalty of Law," the newer couches have tags that read "This tag is not to be removed except by the Consumer Only," a clumsy formulation followed by some mumbo jumbo about flammability. That redundant "only" encourages furniture owners to yank the label off, and it means the back of the tag is no longer a safe hiding place on which to scribble PINs.

That has driven millions of us to the use of mnemonics. The m in mnemonic is pronounced the same as the p in pneumonia -- that is, not at all. A mnemonic, rooted in the Greek word for "mindful," is a mental string you tie around your brain in the form of a rhyme or an association. For example, to create a four-numeral PIN, I took the word most closely associated with that acronym, needle, stuck NEED in the new-memory hippocampus region of my cerebral cortex, then picked out the numbers on my telephone pad that spelled out NEED: 6333. (That sample PIN is only for purposes of illustration; distrustful of banking's disintermediation, I put my money in an old mattress, fiercely guarded by a harsh warning label.)

"Auditors and consultants are prodding companies to require that employees pick tougher passwords," notes The Wall Street Journal, "and change them more frequently." That poses a linguistic problem.

The Yahoo security center advises that passwords should be "unique" (not used for another of my accounts), "difficult to guess" (at least seven characters long) and "made up of both lower and upper-case letters, numbers and symbols." (Thanks a lot -- I'll never remember $@Feyeare, and that's my own last name.) "Bad passwords," in Yahoo's eyes, are complete words in any language; your own name or that of your spouse, child or pet spelled backward; information about you easily obtained, like birthday, street address or license plate number; or a sequence of numbers like 12345. In sum, if the code word is easy for you to remember, it's easier for a hacker to crack.

With all those words not to be used, what's left? "What people really do," says John R. Levine, co-author of Internet Privacy for Dummies, "is pick the first thing that comes to mind. Several studies claim that the most popular password in the country is `susan,' which I can easily believe. This would be horrifying except that an awful lot of the stuff protected by passwords is barely worth protecting."

As a privacy nut, I consider every click of my keyboard worth protecting; does Levine have usable advice for paranoid dummies? "Think up a little phrase and use its initials, throwing in 4 in place of `for' and r for `are' and $ for `money' and anything else that seems memorable. For example, mltw10? could be `my laptop weighs 10 pounds' and W$m2vgop could be `George paid me to vote Republican."'

This story has been viewed 2915 times.
TOP top