About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Password advice from the father of the firewall

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

password, security,data, loginAs more and more personal business is conducted online, passwords (make that dozens of passwords) have become a necessary evil of daily life. We all know the rules for coming up with good passwords, or at the very least we hopefully know there are rules—choose an alphanumeric combination, don’t write it down, don’t use it for multiple accounts, etc.

Despite this guidance, "people are lousy at picking passwords that computers can’t guess, especially computers with multi-core processors," Bill Cheswick said at a cyber security conference held recently at New York Institute of Technology. Cheswick has some credibility in this area. In addition to his current position as lead member of AT&T Research’s technical staff, he played a key role in developing the first firewall systems more than two decades ago.

The cyber security pioneer ran through about a dozen different corporate password creation policies from a variety of companies and concluded, "These rules don’t make anything more secure." Even the longest and most complicated password is useless if it fall into the wrong hands.

Cheswick offered instead his "non-moronic password rule": A password should be an alphanumeric combination that a family member or friend can’t guess in five tries, and it should be complex enough so a person can’t figure it out by watching you type it one time. If you need a reminder, rather than writing down the password itself, write down something that will remind you of the password.

It’s also important to weigh the value of the information you are protecting. Cheswick breaks this down to three levels. The "who cares?" category is for any account that simply provides access to information, such as an online subscription to The New York Times. If someone steals the password, the most they can do is read the publication or perhaps fill out a survey, so feel free to reuse passwords for these sites.

Other accounts deserve more protection and their passwords should be created and guarded more carefully. On one level are accounts where it would be "inconvenient" if a password were stolen, but the consequences (i.e. someone ordering a book via your account) could be rectified with some effort. Accounts demanding the highest level of protection are those that enable you to access bank accounts, trade stocks or otherwise deal with financial matters.

Of course, the bad guys have all sorts of ways of stealing your log-in information, and many of these thefts are no fault of the password holder, Cheswick said. Some of the most common ways for passwords to be stolen are through keystroke loggers, phishing attacks and password database hacks.

Keystroke loggers are typically installed on a person’s computer without their knowledge when they download software or images from unsavory or compromised Web sites. Phishing attacks are delivered via e-mails posing to be from your bank, credit card provider or some other seemingly trusted source. Clicking on links in these bogus e-mails will take you to equally bogus Web sites created to resemble a bank or credit card company’s site. When you try to log in, your information is captured. Hackers often attack password databases (such as those maintained by financial institutions or Internet service providers) directly, where they can steal dozens or even hundreds of passwords.

In these cases, much of the security burden falls on your bank, Internet service provider or whomever else is in charge of protecting your information. One way for them to improve security is to limit the number of password guesses, locking an account if the limit is exceeded. Unlocking such accounts should also be carefully thought through. If a Web site offers a secondary question for authentication, that question should be related to the password rather than you yourself, Cheswick said, noting that it’s not too difficult to figure out the "maiden name" of a person’s mother.

Image courtesy of Potapova Valeriya via

Rights & Permissions

Comments 21 Comments

Add Comment
  1. 1. Johnay 12:02 pm 09/17/2010

    Reminds me a bit of this xkcd comic from Monday:


    Link to this
  2. 2. take2lake 12:20 pm 09/17/2010 is a pretty neat way to keep all your passwords safe and secure.

    Link to this
  3. 3. bugsy3333 1:32 pm 09/17/2010

    So basically…no advise about how to create passwords? Wasn’t that the heading?
    Just info about how hackers can get yours.

    Link to this
  4. 4. kfreels 1:50 pm 09/17/2010

    Yeah. It’s right here: "A password should be an alphanumeric combination that a family member or friend can’t guess in five tries, and it should be complex enough so a person can’t figure it out by watching you type it one time. If you need a reminder, rather than writing down the password itself, write down something that will remind you of the password."

    Link to this
  5. 5. bugsy3333 2:36 pm 09/17/2010

    Yes I can see why you would want to write an article with THAT much new info to report….

    Link to this
  6. 6. Soccerdad 3:11 pm 09/17/2010

    I think the most important advice is to have different passwords for your financial accounts vs. other accounts (like for instance SciAm). Eventually someone will set up some semi-useful web site that requires a password simply to obtain passwords to try on financial sites where they could possibly access your money.

    Link to this
  7. 7. Steve D 3:19 pm 09/17/2010

    Unlike mugging, robbing a gas station or hitting someone in anger, cybercrimes are not impulsive, nor are they driven by need. They are carefully calculated, coldly rational crimes. None of the arguments for moderation in criminal justice apply to cybercrime. Cybercriminals should be permanently removed from access to cyberspace. Any of the classical methods will work, or we could just find them a remote island. Additionally, there should be strong penalties for failing to repair damage from cybercrime. Courts should be able to order a credit bureau to fix a victim’s credit records, for example.

    Link to this
  8. 8. pika33 3:27 pm 09/17/2010

    That should be "whoever else is. . . ." Whoever is subjective case, the subject of the verb "is."

    Link to this
  9. 9. jtdwyer 2:39 am 09/18/2010

    kfreels, bugsy3333 – Yeah, the big new is that it’s the family members you really have to worry about! Keep looking over your shoulder…

    Link to this
  10. 10. Mark Williams 11:47 am 09/18/2010

    Passwords are Passe
    People will not use good passwords because they cannot remember them themselves, and no advice for creating better passwords can fix that. Nothing will improve unitl biometric security becomes common enough for the rest of us.
    Mark Williams

    Link to this
  11. 11. dietwald 2:08 pm 09/18/2010

    While not perfect, probably one of the most effective ways to create & manage is PasswordMaker – found for free at It’s particularly convenient and effective for Firefox users, but since there’s a stand-alone desktop version of it, too, Firefox is not a necessity. Read the description carefully, because the concept is so brilliantly simple that it takes a while to get one’s brain around it. Once you use it, you can have a unique and close-to-impossible to guess password for every page you access, without having to store it anywhere – and it’s not even necessary to type it, making it much harder for keyboard loggers to figure it out.

    Link to this
  12. 12. gin411 4:19 pm 09/18/2010

    For my most sensitive data, I’ve taken to thinking up an easily remembered phrase, and choosing just the first couple of letters of each word, and type that in. Throw in a few numbers, and voila, it looks like a random string of characters and numbers, and it’s still fairly easy to remember. Example: phrase, "I like to jump rope" can become password iL2juR.

    Link to this
  13. 13. gin411 4:21 pm 09/18/2010

    For my most sensitive data, I like to think up an easily remembered phrase, and then take the first letter or two from each word, throw in a number or 2, and voila, you have a string of random looking characters that are still easy to remember. Example: phrase "I like to jump rope" becomes password "iL2juR"

    Link to this
  14. 14. gin411 4:23 pm 09/18/2010

    Sorry for the double submission, I thought it didn’t go through when I had to register!

    Link to this
  15. 15. jtdwyer 5:15 pm 09/18/2010

    Mark Williams – More importantly, passwords are ineffective against a serious intruder. Unfortunately, in an open network there can be no trusted network node: if my computer tells the network my identity has been authenticated or transmits correct (stolen) biometric data, how is the network to know for sure?

    Link to this
  16. 16. jtdwyer 5:23 pm 09/18/2010

    dietwald, gin411 – Finally some useful password advice! Thanks!

    I was wondering how an old network firewall developer (I was a system security developer long before his time) was automatically qualified as a password expert.

    gin411 – the missing posting seems to be a site problem: the free Firefox web browser at works better for this than IE.

    Link to this
  17. 17. easysecured 1:00 pm 09/19/2010

    I found a solution to the password problem two years and have established a firm developing products using my solution.

    My solution was to do away with the password and instead replace it with an alternative password less authentication (that IBM invented 25 years back but did not patent it) .

    For details visit,

    Link to this
  18. 18. easysecured 1:03 pm 09/19/2010

    I found a solution to this problem of passwords 2 years back and that was to do away with the password altogether and instead use a password less authentication.

    Such a solution was invented 25 years back by IBM but did not patent it. I developed a simpler method to achieve the same results and this resulted in the solution called EasySecured.

    If you want to get rid of passwords, head to and there are multiple solutions on this website. They are free and will only cost you your time.

    But you can save a lot of time and sleepless nights once you get the hang of it.

    Link to this
  19. 19. jtdwyer 2:51 pm 09/19/2010

    easysecured – Ignoring that yours is a commercial posting, since it may be relevant to the topic, it seems that your software is licensed by web servers, for example, for use in controlling their clients’ access to that server. Is this correct?

    Is there some way in which an individual can use your software to securely eliminate passwords for all the web servers he/she accesses?

    Link to this
  20. 20. adaviel 7:44 pm 09/20/2010

    Per the XKCD cartoon mentioned. If you check the xkcd forums, someone mentions that this has already happened – a few people used the same password for paypal , an online game, and a game discussion forum.

    Personally, I’ve started making totally random passwords for websites, and getting Firefox to remember them all (with a master password of course).

    With so many websites now requesting email addresses or using them as a user ID, it is important to at least have your email password different from the throwaway website passwords. Otherwise anyone getting hold of your password can spam via your email provider. Also, an attacker has a reduced space to search – they already know your userid, they just have to guess the password. "12345" is apparently the most common.

    Link to this
  21. 21. Samadams 9:25 am 09/21/2010

    The problem with passwords is that the more complicated it is, the harder it is to remember. I don’t know of a solution for this. The article above doesn’t address this.

    As far as authentication questions, they are very secure and useful if used right. Lie. My eye color is wrong and impossible to guess because it is not a color. My mothers maiden name is someones else s maiden name. set.. As long as you use the same lie, it is easy to remember. There are also ways to make it even more secure. For each site, stick the first letter of the specific site say every 4th letter of the response (use your imagination). That way each lie is easy to remember but unique to that site. If someone else has ideas, I am open to learning.


    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article