The recent discovery of two bombs hidden in computer printers sent from Yemen, and my earlier ramblings about passwords, got me thinking.
How likely was it that a Chicago synagogue would be expecting to receive a printer from Yemen where half the population are illiterate and most people are Muslims employed in agriculture?
I’m not suggesting that parcel companies make that kind of value judgement before accepting consignments. However, what if the sender were required to show in advance that the recipient was expecting the item? Some kind of authorisation barcode could be generated and fixed to the parcel.
Not foolproof of course, but better than the current situation where effectively anyone can send an unsolicited parcel to anyone else.
I recently watched the film Enigma about the British code-breaking operation at Bletchley Park.
I don’t pretend to understand the detail, but I gather that it was possible to break German secret codes using ‘cribs’ – fragments of information which provided a starting point in the search for a solution to the puzzle.
It occurred to me that this WWII struggle between the code makers and code breakers is relevant to the problem of password security in the 21st century – the age of the internet and identity theft.
Banks and other organisations have been quick to improve security by for example rejecting simple or obvious passwords such as ‘hello’ ‘1234’ ‘letmein’ or ‘password’.
Many go further than this by insisting on a password containing both uppercase and lowercase letters, and at least one numeral. This of course extends the number of possibilities beyond 26 per position and greatly increases the security of the chosen password. However – and this is where I might be revealing a glaring misunderstanding of probability and of code-breaking methods – this insistence is in itself a ‘crib’ which reduces security somewhat.
Let’s assume you have a machine which generates random passwords by drawing from the alphabet (uppercase and lowercase) and numerals 0-9. This might very well come up with passwords which do not comply with the bank’s rules, even though they are truly randomly generated. So the rules mean that the number of acceptable permutations is much less than the number of possible permutations, which must make the code-breaker’s task easier.
I would have thought it much better to insist on machine-generated passwords and allow them all, rather than human generated ones which conform to published rules?