How Paris Got Hacked (or Why I Sometimes Disagree on Internet Security Issues)

Some of you may remeber this old case about Paris Hilton and how she got hacked couple of years ago (link to article), main reason being the “secret question” (asked when one forgets one’s password) about favourite pet’s name. Well, in Paris’ case dog’s name (I don’t care what it is – google yourself;)) was publicly known.
After that?
I don’t have to draw a picture, do I?

Why this blabbering?

Dear old University of mine issued some new password policies. The new regulations require that users’ passwords must be at least 10 characters long and have to be changed every 9 months. Ok, jolly good.

9 months is not that often, I’ll give you that. I can live with it.

10 characters? Yes, ok. That’s fine, too. Fine with the usual “has to contain this and that and that”, too. Also fine with the complexity requirements (these I understand quite well!).

But, all put together I’m now in a situation where I can’t log in to my account, at all.
Why not?
Because I can’t freaking remember the password! I remeber in my opinion quite well. Type it, doesn’t work. Retype all the 12 chars, nothing. Type them in another form. Nothing.

Great. All the time this login form resets my user name, have to a) retype it every time or b) copy and paste it every time.

Anyway. Try some other forms I use. Nothing.

How do I get my password set again? (have absolutely do idea what the exact form I typed it was).

Take the bus to my university (when it’s open, 0,5 hours ride). Go to help desk, try to find the right person. Show my student id card with the awful picture on it. Type in the password. Retype it. Try to remember it a bit better this time. Take the bus back (0,5 hours ride).

Yep, that’s secure.

Time spent? About 2 hours. The state of “vitutus“? Maximum.

Anyway.

Security is perhaps the major issue as even more traditional services are being transferred to internet. Main issue is, I think,  identifying the user – with which mechanism can we be sure the person is really the person he/she claims to be?

Usernames and passwords, yes. Works quite well. Only problem is that people tend to forget things. Complex and long enough passwords are not that easy to remember. So what do we do? Write them down! Hey, that’s brilliant! Everything solved. What about the physical security? Someone coming to your desk, in real life? Oh well, in reality this is perhaps not that major a risk, but anyway…

What makes things more complicated is the fact that every website, desktop program or whatever wants you to log in. And the login is made with a pair of user name and password.

Now, for obvious reasons one shouldn’t use the same password and user name in every service. That multiplies the number of passwords to remember by the number of services – or by little less if one cheats. Anyway, one reason for not using the same password in every place was seen last year here in Finland. Almost 80000 password/user name -pairs were hacked (posting about the topic). Not a big deal – except for the fact that people use same passwords in various services.

Yeah, stricter password policies at my Uni can be traced to that case, too.

What was the point? Can’t remember it anymore as I try to remeber all my passwords.
In particular the password for my Uni.