The password and
the pendulum

Tip: Don’t use your birthday.

Tip: Don’t use 123456.

In Umberto Eco’s 1988 novel Foucault’s Pendulum, the protagonist tries to access a friend’s computer only to come up against the prompt, “Do you know the password?” After umpteen unsuccessful attempts, the exasperated protagonist types, “No.” Which unlocks the computer.

You might think, Get real, Umberto, what kind of nitwit uses an easily-guessed password like “No”?

The surprising answer is: Nitwits from all walks of life. Last week, The Telegraph published “The World’s Most Common Passwords.” The article lists 25. Here’s a sneak peek at the top ten:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Lest you think that the 25th most commonly used password must surely be way tougher to guess, well, I hate to disappoint. It’s 1q2w3e. You need only plot that one on your keyboard to see why it’s not much better than 987654321. The list goes a long way toward answering the question, How did they access my data?

I have suggested that, beyond their own security measures, financial institutions would do well to educate clients on security measures they can implement themselves. Though the primary reason for educating clients is for their own benefit—they will be safer—the benefits for financial institutions are not to be overlooked. One benefit is that sharing useful information creates good will. Another, according to a recent Fiserv consumer trends survey, is that teaching clients good security measures emboldens them to adopt more digital banking services.

There are reasons people use easily-guessed passwords. Chief among them is that what makes a password hard to guess also makes it hard to remember. The most secure passwords comprise a long string of random letters, digits, capitals, and symbols, with no real-world words or proper nouns. Since there is only so much RAM between the ears, how on earth can we expect clients to remember passwords like that, much less a different one for every account?

A good starting point might be to show clients how to create a unique, hard-to-guess password that they themselves can recall. It needn’t be difficult. If, for instance, you happen to be a Denver Broncos fan—and you should be—you might come with a password like dbR!23DB@219. Doubtless you have already figured out how I came up with that one, but just in case, I’ll explain it. dbR means denver bRoncos; the ! is there because the Broncos are awesome; 23 is player Devontae Booker; his initials are DB; and @219 means Devontae weighs in at 219 pounds. There you have a password that was easy for me to conjure up, is easy for me to recall, but would be extremely difficult for evildoers to guess.

A mnemonic device like dbR!23DB@219 is all well and good as long as clients don’t have to remember lots of mnemonic devices and keep track of which unlocks what. Trouble is, your clients most likely have a lot of password-requiring accounts. A Microsoft study found the average person was using some 25 of them, and that was in 2007. It’s not unreasonable to speculate that, with the growth and popularity of online apps, the number is much larger today.

Many people solve the need for multiple passwords in a not-terribly-smart manner: They use one password for everything. I need hardly point out why that’s unwise, but I will anyway: The moment someone divines your Facebook or Netflix password, that same person now has access to all of your financial accounts. Not good.

Which is why you might consider recommending clients use a good password manager. It may seem counterintuitive: How can it be safe to store all of your passwords in one place? But a decent password manager does what people should but generally do not or cannot do, such as assigning one complex password per account, evaluating password security, generating and tracking random passwords, providing two-way authentication, and allowing authorized access across platforms and devices. Proper use of a password manager—and guarding access to it with the most un-guessable password you can come up with—is a lot more secure than easily-guessed passwords used for several accounts.

As for me, I guess I can’t use dbR!23DB@219 anymore.

Leave a Comment