Answer. A lot Harder than you might think!

The other week it occurred to me that I really ought to get around to changing the passwords that pretty much control my life. You might think that would be pretty simple, but this “project” has been going for 3 or more months and I still feel like I’ve only scratched the surface. I have more than once thought that it was a mistake to start, but going back to where I started is probably no longer an option. So what better way can there be to unburden myself of all of this self-inflicted stress than to inflict some of it on you?

Some Password History

It’s funny how attached you can become to a password. Years ago, in the early days of CAD/CAM in Cambridge, all of us at Integra were involved with a CAD system called Medusa. I chose “medusa” for my password and it’s  a safe bet that 90% of my colleagues and students did the same. It certainly made life easier – using Medusa was hard enough without having to remember a password as well!

In the early-90’s I found myself at Canary Wharf working for a Swiss bank in the back office of the derivatives team. Nowadays derivatives traders get a lot of bad press. True, they may have brought the financial system crashing down around our ears and have condemned the country to 10 years of austerity that we will probably never recover from, but fair’s fair – they were probably just having a bad day. Aside from developing a taste for Bolly I also picked up a new password. Naturally, being in a secure banking environment our passwords had to be ultra-secure, and unfortunately they had to be at least 8 characters long, so good old medusa couldn’t withstand the rigours of  investment banking. I knew that I had no chance of remembering 8 letters so I asked a colleague what her password was (did I mention that this was a secure banking environment?).  This was my first encounter with the cunning use  of numbers which look like letters since learning how to write “hollies” (a popular beat combo of the period) on an LED calculator way back in the 70’s. It had never occurred to me to use this feature in passwords. Well, her password couldn’t be bettered as an example of obfuscation, so I decided to use it unchanged. Thus was born “soonbesummer”, made up of a combination of letters and numbers, which had the added advantage that if I ever forgot it I could always ask her. I liked it so much that I continued to use it for almost 20 years. One of the nice things about “soonbesummer” was that if I was forced to change it I could simply switch to “soonbewinter”.

Both “medusa” and “soonbesummer”/”winter” have stood me in good stead over the decades, but times have changed. We need to take things like identity theft very seriously these days and so these passwords have now been consigned to the dustbin (that’s what we used to call wheelie bins before they had wheels on) of history.

How Did it Come to This?

Years ago computers were relatively rare and it was pretty unlikely that you would have access to more than one.  To run a program you had to a) get into a building connected to computer, b) find a terminal and “log on” (because the system kept a log of what you did), for which you needed a username and password . Then you had to know enough about the particular operating system in order to find and run a program. That was considered enough of a barrier – no further protection was deemed necessary.  Computer programs existed then to do useful work. What would have been the point in gaining illicit access to a computer only to find that you could do nothing except calculate the hoop stresses in thin-shelled pressure-vessels? The computer itself was guarded, like a queen in a hive, by the drones of the Computer Department  (it was quite a few years later that people starting to call it IT, probably about the same time that Peking was renamed to Beijing). The Computer Department existed to a) keep people off the computer and b) play with the computer. Most of their effort was  expended on a) because that made the computer go faster for b). I know this to be true, because in a past life I was the VAX/VMS Systems Manager at McDonnell  Douglas in Cambridge, and I spent 60% of my time doing combinations of a) and b), and the other 40% on my knees in the machine room trying to coax computers into life.

When PC’s came long things got better. The “P” in “PC” stood for “Personal”: the Computer Department couldn’t tell you to stop using it because you  were slowing down their attempts to print pictures of naked ladies using a line printer.

 Ok, she’s not naked, but you get the idea.

You could use PC’s whenever you wanted with no interference from “IT” and with no pesky passwords. Then one day, someone in the  Computer Department looked up from his terminal, peered out from behind his beard and noticed that nobody except them was using their computer any more. Great news for some (more time to play) but bad news if you wanted to keep your job. So in a stroke of pure genius – they invented networking.

Unfortunately, because of the “P” in “PC”, everybody could do pretty much whatever they wanted to with their PC’s, and they did exactly that, which meant it wasn’t long before all the PC’s stopped working. This was made much worse by the complete absence of any backups. Of course, once you had broken your PC you were on your own. Imagine calling a professional mechanic after your attempts at dismantling your gearbox have failed.  Well, try taking your PC to the Computer Department when it fails to boot after some seemingly harmless editing of CONFIG.SYS. Imagine a pod of whales all simultaneously taking a very deep breath before plunging down into the Stygian  depths; that would be as the mere murmuring of a gentle summer breeze compared to the collective sharp intake of breath from the bearded ranks.

Anyway, back to the plot. Very cleverly they decided that they should join up all the PC’s together with string, and then they would be in charge of the string. Just for good measure they put a computer with lots of disks into the machine room (right where the VAX used to be), and said we could use their big disks instead of the tiny ones on our PC’s. They would even do the backups! I’m ashamed to say that we fell for it.  To use the disks you had to use the network, for which you had to have a password. They were back in charge; if they took their string or disks away you couldn’t play any more, and the space where the VAX used to be filled up with more and more file servers. Funnily enough, the servers then gradually got bigger and bigger until they took up all of the space  where the VAX used to be, and everybody was happy again. Most of us now had computers on our desks and as long as we were nice to IT, we could even use them every now and then.

Going from Bad to Worse – The Internet

As long as you didn’t need to venture further than the end of the Computer Department’s string, things still weren’t all that bad. DBase came along and you could use your PC (albeit no longer quite so personal) for databases, but not many of these required you to use passwords. Nobody kept anything important on PC’s anyway, so it didn’t really matter, and in order to use your PC someone had to first get into your office.

You may remember the days when a program was delivered as a set of 15 disks: 1 for the program itself, and another 14 for all of the printer drivers. What did you do when some enterprising company brought out yet another model of printer? In order to get a new printer driver you could either pay the manufacturer to post you a copy (probably with a compliments slip stapled through the disk), or you could use a bulletin board. Probably the biggest in the world back then was CompuServe. You could connect your 300 baud modem (I still have it in the garage, next to the tape deck) and dial in to their service, and from there you could do things like download updated device drivers and ask technical questions to people clever enough to answer them. Of course, in order to use CompuServe you had to have a username and password. Worse still, almost everyone that had something useful there also required a username and password.

We were on a slippery slope, the gradient of which rapidly sharpened with the arrival of Windows 3.1. At last ordinary people had a reason to use a computer – to play solitaire. Then Tim Berners-Lee invented “the Web” and the slippery slope turned into a death spiral (apparently it’s OK to mix metaphors on the web). Companies like CompuServe turned into ISP’s; browsers like Mosaic allowed us to surf rather than to type, and bulletin boards became forums (yes, that is the correct plural of forum). We didn’t need line printer drawings of naked ladies any more, we could get actual pictures of naked ladies!

Around about this time the people who built hardware and wrote software realised that they didn’t have to provide any manuals any more: they could just put them on the web. The people running call-centres realised that they could sack all of their staff and replace them with an on-line forum. I have to say that I’m a great fan of this trend. On a forum I can always find someone who really knows what they’re talking about, whereas the chaps on the phone only ever seemed to tell you to turn it off and back on again. The forum has replaced product documentation. If I get error “x800B0100” when installing Windows 7 Service Pack 1, I don’t reach for a manual, I reach for Google. The problem is that now I have a forum account for just about every software product that I use – and they all need a password.

So, we have arrived at a point at which the number of “medusa”s and “soonbesummer”s has multiplied out of control. Despite the Second Law of Thermodynamics, something must be done to reduce the chaos and restore some order. And so, like an intrepid explorer  I set out into the void to boldly go and change my passwords.

A Strategy

What I needed was a strategy, and perhaps things might have gone better had I come up with a strategy before I set of on my journey; but you can’t change the habits of a lifetime. The first thing that became obvious was that I would need more than one password. There are some passwords that we share within the company. Anyone at Integra, for  example, can use my account on the Infragistics forum to get technical advice, software patches etc. The worst thing that anyone can do with this account is to ask really dumb questions on the forum under my name and make people send me emails like “when you say that the text was blank do you mean that the output was a non-blank series of blanks, terminated with a blank, or was it just blank?”. That’s fine, I can live with that, but I don’t want to give these guys access to my bank account.

Then again, we also occasionally have to tell passwords to customers. We try hard not to, but sometimes you just can’t help yourself. It’s a bit like telling someone your home phone number: it goes against your principles but one day you really need to talk to someone and your mobile signal disappears so you call them from the land-line. They call 1471, find your number and that’s it, they’ll call you at home every time you don’t answer your mobile.

So, I’ll be needing three passwords: 1 for me, 1 that I can share with Integra and 1 that I can share with just about anyone else. Now all I need to do is to think of 3 random combinations of letters & numbers, with at least 1 upper-case and 1 punctuation character. On top of that it can’t contain more than 4 characters from my old password or some sites won’t allow it. Whatever I come up with has to be easy to remember and difficult to guess. Hmmm. I’ve used “medusa” for nearly 30 years, I can’t use the wife’s name again! I could use my kids’ names and birthdays, only I can’t remember them.  In the end I give up on logic and decide to look out of the window and choose the 1st 3 things that I see.

Where do I Start

Any adventure starts with the 1st step, and mine starts with the local, non-networked things closest to me. The thing that I use most is SQL-Server, and I have 2 laptops (one of which has 3 virtual machines, each of which has SQL 2000, 2005 & 2008. The other laptop only has 2000 and 2005), plus the server which fortunately only has SQL 2008. So that’s 12 “medusa”s gone. Now all I need to do is reconfigure every single product that I support which connects to SQL and change the client password. I reckon that’s another 5 gone at least. Changing the connection string in the configuration file for http://demo.e-quip.uk.net is probably the last.

The next step is to change my Window’s logins on all of these computers, so that’s 3 more gone, along with the administrator password on the server. So far at least 22 “medusa”s have bit the dust. Now I can start on networked stuff. The hardest of those is going to be email. BT has a strange approach to accessing services on line. They give you one username which you have to use for 2 purposes, 1) as your username to log on to the web site, and b) as your username to access your email. Not only is this inconvenient as you have to log in twice, but the web site insists that you have a punctuation character in your password, while the email system won’t allow punctuation. Of course, this isn’t documented anywhere and it takes a few wasted hours to discover that I’m going to need a 4th password.  Anyway, that’s a couple less “soonbesummer”s.

Right, now my email server has a new password, I’ll change to change my email clients accordingly. I only use Outlook on my Windows 7 laptop, so that’s one change, but I also use email on my phone, so that’s one more. Normally to configure your email you need to enter passwords to access the POP3 server (for incoming mail) and the SMTP server (for outgoing mail). Since my recent BT email “upgrade”, BT now use Microsoft Outlook 365 to provide their mail services. Unfortunately the Outlook 365 servers won’t allow me to send emails from graham@integra.uk.net, since I am clearly the only one of BT’s customers in the entire country that doesn’t want a @btconnect.com email address. They have created an additional account for me which allows this, but Outlook 365 clearly hasn’t been told about these features. So I have to used one account for Outlook 365 POP3 services, and a different BT server for SMTP. At least they now have the same password, even if I can’t remember both of the account names.

I forgot that my router also has a password which I need to change just so that I’m being consistent. The only problem there is remembering how to connect to it. I’m sure it’s 192.168.something or other. Fortunately a bit of Googling tells me that with Google Chrome I can just type in “router”, which is nice and simple. I must make a note of that somewhere. Where was I?  I mustn’t forget my KIndle. That has to connect to Amazon using my email address and password, so that has to change too. That reminds me, I sometimes use the Kindle reader on my wife’s i-Pad so I’ll need to change that too. So, server, laptops (real & virtual), phone, Kindle, i-Pad, I must almost be done; time to start looking at my on-line accounts.

The accounts that I use most often are:

1. Microsoft Passport, which covers almost all Microsoft sites

2. The Infragistics support forum

3. Our web domain management control panel

4. Our web hosting management control panel

5. Our blog control panel

6. Out ftp site

That’s 6 more “soonbesummer”s gone. As far as work goes, all I have left to do is change the passwords for the accounts that I don’t use very often. These include: a) Virtual Link (who we buy our icons from), b) Component Source (who we buy most of our non-Microsoft software from), c) Norton (for our firewalls & anti-virus software), d) WinZip, e) Crystal Reports support account, f) Adobe, g) Dell, and a few more that I rarely use and have completely forgotten the passwords for.

On the Home Straight!

That’s probably most of the work stuff out of the way, now for my Personal Accounts.  In no particular order of precedence we have: i-Tunes, e-Bay (I’ve got some great Meccano brass gears, if anyone’s interested), Google, Barclay Card, a couple of on-line store accounts, Holiday Inn, British Gas, E-on, Cambridge Water, BT (home phones, not email), and the list goes on.

There are some accounts that I will probably never ever be able to use again, even if I want to. Fortunately I have never really bought into the whole “so-shul-meeja” concept, so I don’t have to worry about Facebook or Twitter or tosh like Friends Re-united. The closest I got to this was the family history research site ancestry.co.uk (one less “soonbesummer” to worry about).

So, I think I’m nearly there, but today my wife asked me if I could check on the progress of the planning application to replace the old stable next to our house. I went to http://www.huntsdc.gov.uk/ and guess what I was confronted with?

You Couldn’t Make it Up!

So even though I think that I must have changed getting on for a hundred passwords on about 10 devices (virtual or otherwise),maybe I have a bit further to go.

One last thing: I use Microsoft OneNote to keep track of things like lists of passwords, and I have updated this with all of the new instances of my 3 new passwords. Naturally, it’s password protected. Those of you familiar with Bertrand Russell’s famous paradox will appreciate the irony of: