Skip to main content

Password advice from the father of the firewall

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American


As more and more personal business is conducted online, passwords (make that dozens of passwords) have become a necessary evil of daily life. We all know the rules for coming up with good passwords, or at the very least we hopefully know there are rules—choose an alphanumeric combination, don't write it down, don't use it for multiple accounts, etc.

Despite this guidance, "people are lousy at picking passwords that computers can't guess, especially computers with multi-core processors," Bill Cheswick said at a cyber security conference held recently at New York Institute of Technology. Cheswick has some credibility in this area. In addition to his current position as lead member of AT&T Research's technical staff, he played a key role in developing the first firewall systems more than two decades ago.


On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


The cyber security pioneer ran through about a dozen different corporate password creation policies from a variety of companies and concluded, "These rules don't make anything more secure." Even the longest and most complicated password is useless if it fall into the wrong hands.

Cheswick offered instead his "non-moronic password rule": A password should be an alphanumeric combination that a family member or friend can't guess in five tries, and it should be complex enough so a person can't figure it out by watching you type it one time. If you need a reminder, rather than writing down the password itself, write down something that will remind you of the password.

It's also important to weigh the value of the information you are protecting. Cheswick breaks this down to three levels. The "who cares?" category is for any account that simply provides access to information, such as an online subscription to The New York Times. If someone steals the password, the most they can do is read the publication or perhaps fill out a survey, so feel free to reuse passwords for these sites.

Other accounts deserve more protection and their passwords should be created and guarded more carefully. On one level are accounts where it would be "inconvenient" if a password were stolen, but the consequences (i.e. someone ordering a book via your Amazon.com account) could be rectified with some effort. Accounts demanding the highest level of protection are those that enable you to access bank accounts, trade stocks or otherwise deal with financial matters.

Of course, the bad guys have all sorts of ways of stealing your log-in information, and many of these thefts are no fault of the password holder, Cheswick said. Some of the most common ways for passwords to be stolen are through keystroke loggers, phishing attacks and password database hacks.

Keystroke loggers are typically installed on a person's computer without their knowledge when they download software or images from unsavory or compromised Web sites. Phishing attacks are delivered via e-mails posing to be from your bank, credit card provider or some other seemingly trusted source. Clicking on links in these bogus e-mails will take you to equally bogus Web sites created to resemble a bank or credit card company's site. When you try to log in, your information is captured. Hackers often attack password databases (such as those maintained by financial institutions or Internet service providers) directly, where they can steal dozens or even hundreds of passwords.

In these cases, much of the security burden falls on your bank, Internet service provider or whomever else is in charge of protecting your information. One way for them to improve security is to limit the number of password guesses, locking an account if the limit is exceeded. Unlocking such accounts should also be carefully thought through. If a Web site offers a secondary question for authentication, that question should be related to the password rather than you yourself, Cheswick said, noting that it's not too difficult to figure out the "maiden name" of a person's mother.

Image courtesy of Potapova Valeriya via iStockPhoto.com

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots.

More by Larry Greenemeier