Good Enough for Government Work I Guess

This is pretty much representative of everything that is wrong with our society.

As a publisher, one of the administrative things I have to worry about is applying for the pre-assigned control number from the Library of Congress. It is a little administrative thing, really. It only takes a minute or so per title to do as everything is handled online. The problem, however, is that because we only publish a handful of titles a year, I only log in four or five times a year. Well, as anyone who spends time on the internet knows, it is pretty easy to forget your password for sites that you don’t frequent daily. But some sites seem custom made to make it IMPOSSIBLE for you to remember your password, and even if you do remember it…well…it won’t matter.

These are the password requirements for the site that assigned the numbers:

Must be at least eight characters in length.

That one isn’t a big deal. Longer passwords are harder to guess and this is a pretty common requirement.

Can not be changed more than once per day.

Well, who would want to change their password daily? Seems like a common sense thing to me but OK.

Must contain at least one uppercase letter, one lowercase letter, and one number.
This sort of requirement always hangs me up, because I can never remember passwords that are case sensitive.

Must not contain consecutive repeated characters.

Now they are just making it impossible. Do you know how hard it is to come up with a password I can remember that is at least eight characters, includes a number, and has no consecutive characters?

Must be changed every 60 days.

So even if I manage to come up with a password that I remember, I will have to change it whether I want to or not every 60 days? And if you forget to change the password, you have to request that your publisher liaison reset your account. That’s right, if you wait 62 days and then try to log in, you will get an error message and not be able to reset your password. You have to contact your representative and wait for them to issue you a new temporary password, and then go in and reset your password.

Can not be changed to any of the 11 most recently used passwords.

You know, because we want to really screw with you and make you come up with a completely different password using our arcane rules every 60 days for the next two years.

Now don’t get me wrong. I understand the theory is to make sure the site is secure. That is all well and good. But when you have a security system that requires the user to use a convoluted method of creating a password that has to be constantly changed, what happens is that people come up with “systems” to help them remember. So maybe they use something really simple like their name and a number, Veronica1. In 60 days, that becomes Veronica2, then Veronica3. Because it is human nature to want to use something that makes sense to us, and trying to force us to use an arbitrary random sequence has the opposite effect.

Now what does this mean? It means that while this arbitrary set of rules may protect your account from computer algorithm hacking, it won’t protect you from old fashion con artists who know how predictable we all are. Because you know what else a lot of these sites do? They have special “secret questions” that you are supposed to answer to verify who you are. Things like your dog’s name, your kindergarten teacher, favorite movie, etc.

A computer is not going to know what those answers are, of course. But anyone that sees your Facebook page will because you, and millions of people like you, answer those stupid apps where you share all of this random information online with complete strangers!

And guess what? Even if you are smart enough to not do that, your friends are pretty damn dumb because they are answering those stupid apps that ask questions about their friends! Yep, your pal Sally is gleefully sharing with the world that your first boyfriend was Billy and you use to live on Sassafras Street and your favorite ice cream is butterscotch. Then it is just a matter of some con artist matching you up with whatever websites you visit and requesting a password reset.

And this, ultimately, is the problem with society. We are very adept at protecting ourselves from smart villains. But we are helpless when it comes to protecting ourselves from stupid people.

5 Replies to “Good Enough for Government Work I Guess”

  1. This may sound stupid, but the way I get around the questions is make up a consistent lie, then stick to it. If your mother’s maiden name is Smith, for example, always enter Jones instead. Your friends can’t give that away, and the computer won’t know the difference… just as it won’t know the difference if you use the same word (e.g. something memorable like Stegosaur — no, that’s not the word I use 😉 to answer all the questions. Makes remembering much easier, too.

  2. The problem with passwords this “strong” is that it almost always forces me to put it on a sticky note and attach said sticky note to my computer.

    Falls in the “its so secure, I can never get in myself” category. IT guys seem to love that

  3. Use the old hacker trick of replacing certain letters with numbers:

    3 for ‘e’
    5 for ‘s’
    1 for ‘i’
    0 for ‘o’
    @ for ‘a’

    This will get you through the ‘must contain a number’ requirement, and will make your password a little (only a little, but yes, a little) harder to guess. Best that if you replace one of the ‘e’s with a ‘3’ then you do it for all of them, otherwise you’ll be thinking ‘but which one did I swap?’ (although mixing passwords and numbers will make your password stronger).

    This way, if you know that your password was ‘Clockwork’, and that you replaced some of the vowels with numbers, then you know that you’re either looking for ‘Cl0ckwork’, ‘Clockw0rk’ or ‘Cl0ckw0rk’, so even if you forget the exact password, you don’t have too many guesses to make to get the right one.

    The sixty days rule is very annoying, but if they don’t check against all past passwords it may be possible to circumvent it by having, say, four well known passwords, and cycling them round and round.

    Your last point is a good one that I’d never thought of before. Even if we are careful about how much private data we put on-line L0rd W1ck3d, evil teenage hacker, can still figure out our passwords by ‘data mining’ our stupid friends. Fortunately most people are too busy talking about themselves to leak much information about others (I know I am), but I think it’s very likely that what you say is correct, and that hackers build up a ‘profile’ of a person by looking for clues in their social media networks. There is only one solution that I can think of to plug this serious vulnerability: kill your friends. Problem solved!


  4. Kelly, ya that is all well and good until they make me change the password again in 60 days. Then I am stuck trying to remember which song I used to create which site passwords!

  5. One really easy way to come up with a password with stringent password requirements is to pick a song or poem you like and create a password from the first letter of each word in the verse.

    For example:

    “Jack and Jill went up a hill” would be come “Jajwuah.” You can add a number to the beginning or the end, and use the second line if you need a longer password.

    To make it stronger, substitute special characters such as “@” for the “a” or “$” for “s.”

    Hope this helps!