“I’ll think about it,” Bryan says reluctantly.
“C’mon,” I wheedle. “It works for everybody. I get occasional blog posts with actual content, you get credits to maintain your certification.”
He grimaces and leans back, looking out the window. “I wouldn’t get credits unless I was the actual author. And I don’t get that many credits. 4 a year, I think. No matter how many posts I slap up.”
“It could work,” I say. Dammit, why is Bryan being so difficult? I’ve known him since college. My husband has known him even longer. “Look, I know you’re worried about your reputation,” I say. “And being connected to a flakey writer doesn’t help.”
He shakes his head. “That’s not it. It just… what you’re asking for takes time. A lot of time. I don’t have a lot of time to craft blog posts that I don’t get that much credit for to maintain my certs.”
“You said every little bit helps.”
“Well, yeah, but-“
“We’ll start easy. How do you craft a password? A good one?”
“Oh, God,” he groans. “You can find that anywhere.”
“I know that, but look around. You have to use a password to log in to almost every website out there just to read a news article. I think I have something like 47 different accounts. There’s my blog, email, Ravelry, Pinterest, Amazon, blablahblah. You expect me to remember a different password for each and every one without writing that down? Are you insane? I can’t remember my wedding anniversary and I have to remember all that, too?”
Bryan nods. “I know you can’t remember your anniversary. Sam told me. I didn’t believe him at first, but then you actually checked the date in front of me.”
“I could use one of those password books they sell,” I tell him. “I could carry it with me-“
“Please tell me you don’t do that,” Bryan says. “Please tell me Sam trained you better than that.”
“I like the look on his face when I threaten to do that,” I admit. “It’s funny.”
He grimaces. “You’re sick.”
“So what makes a good password?”
“You want a different password for every account you have,” he recites. “I feel like a level one at the college helpdesk,” he mutters. “Don’t they teach this crap in schools now?”
“I can’t remember all that,” I say, dragging him back to the original topic. “I’ve got 47 accounts. At least. Why can’t I just use one of those service thingys? ‘Sign in everywhere, even with your credit cards, through Google’ or whatever?”
Bryan whimpers and pinches the bridge of his nose. “How did you get a job in a LAN shop?”
I shrug. “I was a file clerk. I kept the paper trail organized and once they figured out I knew not to do ANYTHING except remotely inventory desktop software, they used me to live test the software pushes.”
“You were the luser representative,” he says with a nod.
He shrugs. “That’s what some of us call them.” He leans forward and pushes his coffee cup to the side. “Okay. The point behind a password is to slow the bad guy down. What a lot of people don’t understand is that sooner or later, every lock or password can be cracked, it just takes time. The more of a pain in the ass you make it, even for a brute force attack, the more likely they’ll just skip your account and move on to the next one. If you use those services that advertise ‘one password to rule them all’ crap, you’ll get hacked fast. Those targets are worth more, so bad guys tend to go after them. If I spend time cracking someone’s account or company or whatever, I want a payoff. The bigger, the better.”
“What’s a brute force attack?”
“I try to break in with a sledgehammer, metaphorically speaking. There are whole databases out there – baby names, alphabets, dates, pet names, dictionaries of every language – even klingon and elvish. A brute force is when I literally try every combination possible using a program to figure out your password. It’s not a good investment time-wise, but if you’re determined to crack a certain account, it will work. Eventually. The idea is to make the bad guy give up before he breaks the lock because he values his time.”
“So that whole terrorist phone thing that the Feds went up against Apple for?”
Bryan rolls his eyes. “That was a clusterfuck from the moment the phone got handed out. If the guy’s company had added a master key like good security practices say they’re supposed to when they issued the phone, the Feds could’ve just gone to the company, gotten the key, accessed all the files on the phone and the company would’ve just had to change their master password.”
“Why would Apple have a master password?”
He shook his head. “Not Apple. The phone in question was issued to the guy by the company he worked for. It was company owned and they failed to secure their shit. That’s why the feds had to go to Apple.”
“I didn’t know that.”
“Yeah, that little tidbit didn’t make as much noise as the lawsuit did. But the ultimate solution of cracking the phone through a code weakness demonstrates my point – the Feds were determined to get in. When you’re up against someone who won’t let anything stop him, it’s a matter of ‘when,’ not ‘if.’”
Hooked him. Stay cool, Katty, keep the conversation casual. “So how do you make the bad guy give up?”
He shrugs. “The sites and articles tend to have it right – the longer the better. 8 characters is okay, if you don’t care about your account. 14 is better. 28-plus is best, for now, but most places don’t accept passwords that long. A lot of places don’t accept character symbols either, which is stupid. It isn’t that hard to adjust the code to accept it. Throwing in a number in place of a letter, of course. Caps and lower case mixes. So on.”
“That’s it?” I ask. Ye Gods what do journalists go through to get a geek talk? Do I need to add liquor?
“Well, no. You want to avoid actual words. ‘Adm1nistrator!’ is a pretty shitty password.”
“So what’s a good one?”
He rolls his eyes. “Okay. Once upon a time, back when 8 characters was actually considered a decent length, I had ‘EFe2O3H3’ as mine. I had a friend, Edgar Russell Howard the third-”
“Seriously?” I ask. “You knew some guy named Edgar?”
“Yes, seriously. He hated it, so we all called him ‘Rusty’ unless we wanted to piss him off. The chemical formula for rust is Fe2O3. So I put E for his first initial, the chemical formula for rust, then H3 because he was Howard the third. EFe2O3H3. It was easy for me to remember and enough of a pain in the ass at the time that most bad guys would rather just skip it and move on to the next account. Now, they’d break that in 30 seconds, tops, so I use something more complicated but still easy to remember.”
Bryan shakes his head. “I will never quite understand why Sam married you,” he mutters. “There’s a couple ways to go about this.” He shifts in his chair again. “Some people use multiple words – “My cat likes birds,” we’ll say. Write that down.”
“Seriously?” I ask him.
“Yes, seriously. Sam told me you want to be an author and authors always have something to write with even if it’s blood on a damn cocktail napkin. Write. It. Down.”
My cat likes birds.
“Okay, now get rid of the period and replace at least one letter with a number.”
My cat likes bird5
“Don’t be stupid,” Bryan growls. “Sam trained you better than that. You never put the number or the symbol at the beginning or the end of the password. That’s too easy for someone to crack.”
My cat like5 birds
“Better,” he nods. “But an even better number would be a 2 or something. 5 = S, 3= E and so on are also documented in databases. Do you remember all those calculator jokes we used to think were so damn clever in middle school? Someone remembered that crap and documented it.”
I change it. My cat like6 birds
“Now misspell one word. Intentionally.”
My cat like6 byrdes
“Okay. A little on the Old English side – which is also in a database somewhere – but still okay. Now run them all together.”
“Now add three initials to it somewhere that denote the site you’re using the password for.”
“Amazon, huh?” he asks, looking at the page.
“I’ve been browsing, lately,” I admit.
“Didn’t get a space pen for Christmas, birthday or valentines, did you?”
“I don’t understand why people don’t accept my love of office supplies,” I say defensively.
“Yeah.” He taps my mashup password. “So what you’ve got now is a password you can remember that’s reasonably strong. Technically, you could use it for every site, just change up the 3 initials to denote the site you’re logging on to, like ‘yhm’ for a yahoo mail account or something. It would be better if you put the three initials in the middle somewhere, like where a word break would be. Even better would be every fourth letter an initial gets put in, but people complain that’s too hard. Another method is acronyms, but there’s a case against them.”
“Don’t make me hit you, Katty. I like you, but Sam will understand why when I tell him you were playing white-out blonde.” He taps my notepad again. “Come up with a sentence at least 8 words long. Something you can remember.”
Bryan was the best man at my wedding.
“Hey, you remembered that.” His eyes narrowed. “I’m still bitter you didn’t let me drink, though.”
“We didn’t have the money to pay to cover liquor on the site,” I say with a shrug. “You got to be important. What else did you want?”
“You gave me a damn flask as a gift and didn’t give me any alcohol.”
“Anyway,” I say. “What now?”
He glared at me. “You know what acronyms are. Figure it out.”
Bryan can be such a dick sometimes. Bwtbmamw.
“Good for you,” he says. “Now do the rest like I told you.”
“Pinterest?” he asks.
“I like the pictures.”
“See, now if I stole your password, I could use it to destroy your credibility on Pinterest by posting child porn or something via your account.”
“That’s gross,” I tell him.
“That’s what bad guys do, among other things,” he says with a shrug. “To be fair, something like that is usually more of a personal attack, but it doesn’t make it any less damaging. But the acronym thing actually has a case against it – there’s an argument that it’s easier to crack the acronym password than the random phrase one. It’s some mathematical equation. I didn’t quite follow it the way another guy in my shop did, but he also has a brother with a math PhD, so there ya go.”
“So that’s it?” I ask. “That’s all you need for a password.”
“Until companies get their heads out of their asses and allow symbols and longer passwords, yeah. It’s a place to start.” He finishes his coffee. “And put your three initials somewhere not at the end or the beginning. Please.”
“You did figure it out pretty fast,” I admit.
“And I’m not a computer, so imagine how lame your other passwords probably are.” He taps his head. “I have a list of common passwords up here, because I keep running across accounts we need access to after someone leaves the company. You’d be surprised at how many people use the same damn password.”