280 The password ploy

We have been fooled too long into thinking that it is up to us, innocent ict customers, to safeguard our own privacy and money from cyberthieves. We are not equipped to do this and those who should be protecting us saddle us with demands that are impossible to fulfill.

With the best of intentions, the Dutch consumer magazine Consumentengids published a tip to computer users in its June issue about how to compose passwords. Paraphrased: Think up a sentence such as “Even this password is very hard for me to remember.” The first letters give you the word etpivhfmtr. This is not good enough, the magazine says: the Microsoft service that judges the level of protection offered by passwords grades this one Weak. To improve on it, replace the i with an exclamation mark and capitalize every second letter, so you get EtP!HfMtR. This bumps you up two notches to Strong. Needless to say, you should use a different password for every service you access and change passwords regularly.

Forgive them, reader, for they know not what they do. They are not the only ones who have allowed themselves to be maneuvered into thinking it normal that online security is dependent on the unfailing success of innocent end users in outrunning professional cyberthieves equipped with heavy code crackers, keystroke readers and immensely powerful virtual computer networks. The very idea that a nonsense 10-letter password like etpivhfmtr, one of 141,167,095,653,376 permutations of 26 things (the letters of the alphabet) taken 10 at a time with repetitions allowed, is considered unsafe by Microsoft, shows us what we’re up against.

Passwords. My bank and investing accounts, credit cards, online pay services and stamp printer, to begin with the hard cash services, require some twenty passwords or pin codes. Then there are my telephone codes, webmail and website access codes, the entry codes to my accounts with libraries, newspapers and media, booksellers, retail chains, airlines, photo services, the password for starting my computer itself – you have them too, reader, you know what I’m talking about. I just counted mine – another 30, bringing the total up to about 50. If I were to change them each quarter (for weak passwords like etpivhfmtr Microsoft advises a change every week), this would mean devising and remembering 200 different passwords a year. In an era when attention spans are diminishing across the board, we are being challenged to develop the skills of a memory artist just to get through a digital day.

The Consumentengids/Microsoft advice is technically misleading as well. It is not I who determines what an acceptable password is. Some services fix a minimum or maximum number of signs, some take only capitals or only lower case, some reject anything except letters of the alphabet or numerals, others won’t admit a password without a non-alpha character. So that friendly-sounding mnemonic business of a sentence that relates to the site you are accessing only complicates matters, requiring you to remember for each site whether or not it takes a sentence collapser. Moreover, you might think that “Even this password is very hard for me to remember” is easy to recall, but it’s also easy to get wrong in those little details that will get your bank pass swallowed at the beginning of some long holiday weekend by an ATM machine in Goa.

That I could tell you I have 50 passwords is not because I have constructed a memory palace through which I can wander in my mind to count and read them all. That is apparently what Microsoft thinks I should be doing. No, I can count them because I have installed them on a personal page in one of my Internet bank accounts, thinking that this was safer than a file on my own computer or items in my electronic address book or a hand-written list in my wallet. Is it? I haven’t the least idea.

It took that free advice from the consumer guide to jolt me into realizing that all of this is deeply wrong. Responsibility for safeguarding bank balances, a responsibility that used to be in the care of armed guards, has gradually been transferred to us, without the means to acquit it. Do you really think that executing mental gymnastics like the above will protect you from computer criminals who are always a step ahead of the security branch itself? It won’t. Microsoft knows it too, of course; the entire business of creating “strong” passwords – see http://www.microsoft.com/protect/yourself/password/create.mspx – is a red herring, a sleazy trick to make us feel that if we are robbed because of holes in their security it was our own fault.

That Microsoft should mislead us in this way is understandable. The entire ict universe depends on our unwarranted confidence in its safety. But there is no reason for a consumer organization to go along with this scam. Isn’t it time for organizations like the Consumentenbond to fight to free us from this cross of passwords?

© Gary Schwartz 2007. Publisher on the Schwartzlist on 16 June 2007. Not published in any other form.

Now that I am not required by the newspaper I was writing for to limit my subject matter to art and culture, I notice that there are some other things I need to get off my chest.

Crocker Sheldon Tapestry, ca. 1580-90

Every spring I get two tickets for the opening of the Grosvenor House Art and Antiques Fair from the London dealer Johnny van Haeften. I have never been able to attend. But this year, in celebration of my birthday and to take an advance on the golden-years freedom that has so far evaded me, I took Loekie off to London for two days for the opening and for a heavy immersion in art and museums. The Grosvenor House Fair is not at all as grand as the TEFAF (The European Fine Arts Fair), the only event of the kind we ever go to. The TEFAF has museum airs; the dealers behave like curators explaining the finer points of their displays. Grosvenor House is closer to the bazaar. There is more tension in the air, every step you take in the cramped space feels like a move in a negotiation. The most exceptional thing we saw was a large 16th-century Sheldon tapestry with a hunting scene, in which the hunting lodge was based on a German print of the Temple in Jerusalem. Hope it gets into a UK museum, where we can see it again. [6 July 2007: The Art Newspaper, July-August 2007, p. 50, reports that the tapestry did not sell at approx. one million pounds.]

Tran Trung Tin, Hanoi 73 [image no longer available; 25 April 2019]

Tran Trung Tin, Hanoi 73
Private collection

In Asia House on New Cavendish Street we were able to see more work by a Vietnamese artist we greatly admire, Tran Trung Tin. It is his first solo exhibition in Britain, curated by Sherry Buchanan and Katriana Hazell and called No more war! Vietnam’s optimistic tragedy.

In the gallery in Hanoi where we first discovered him last October, Tin was sharing an exhibition with the Dutch artist Rienke Enghardt. (See Schwartzlist 267: Predestination Hanoi.) Our meeting with her there has had further consequences. Enghardt works in complex collaborative projects for which she needs outside help. She has put together a foundation for this purpose, called Hope Box. I have accepted her invitation to become chairman of the board of Hope Box, of which you will be hearing more later.