The username associated with an account is often not kept secret. Some systems allow you to make up your own username, whereas others make you use a specific identifier such as an email address. The idea is that an email address is generally specific to a particular person, and therefore can be associated uniquely with a particular account on their system. If a software system allows you to make up your own username, it checks the username against all currently used usernames in the system and, if someone has already claimed the one you want, forces you to pick another.

So while each username in a system is unique, the username itself does not provide any assurance of security. It’s the combination of the username with a particular password that results in some confidence that you are who you say you are.

A password, of course, is a string of characters that supposedly only you, as the user of a particular account, know. Once the system verifies that the username you provide is valid and that the password you provide is associated with that username, then you are given the rights that only you should have as the “owner” of that account.

Password-based security mostly comes down to keeping your password out of other people’s hands. You want to make sure no one can discover your password, such as finding it written down somewhere. You don’t want to ever give a password to anyone, even someone you trust. And you want to make sure that no one can guess what your password is.

Here is a list of guidelines regarding password management:

• Create a password that is easy for you to remember but difficult for other people to guess.

• Don’t use a simple password, especially one that relates to you personally, like your dog’s name.

• Don’t write down a password anywhere that other people can access.

• Use a combination of characters in the password, including both upper- and lowercase letters, digits, and special characters.

• Don’t stay logged into an account and then walk away from your computer.

• Don’t ever tell anyone your password. There should never be a valid reason for you to do so.

• Don’t send your password in an email. Most email is sent “in the clear” with no encryption and could be easily intercepted.

• Don’t use the same password for all of your online accounts. If one is compromised, then they all could be.

The first guideline in that list is key, and somewhat confounding. For convenience, you want to be able to remember your password easily, but if it is easy for you to remember, it might be easy for someone else (or a computer program) to guess unless you put some thought into it.

Simple words, or a simple combination of words, don’t make a good password, especially if they have a direct connection to you. The password yahtzee might be easy for you to remember because it’s your favorite game, but someone who knows you might try it. It would be nice to believe someone you know and trust would not try to access your account, but such assumptions are completely contrary to the concept of security and don’t always match up with reality.

Even if you pick a word that doesn’t relate to you personally, some computer programs are designed to break into your system by repeatedly trying different passwords using dictionaries with thousands of words. Your password should not resemble anything that looks like a word or phrase in English, or any other language that humans speak.

With that in mind, many software systems will insist that you create a password that has certain characteristics that make it more challenging to guess. These characteristics are called the password criteria. If your potential password does not meet the criteria, it is rejected until you enter one that does. A typical set of criteria for password creation might be:

• The password must be six characters or longer.

• It must contain at least one uppercase and one lowercase letter.

• It must contain at least one digit.

• It must contain at least one special character, such as ! or %.

The following table contains examples of passwords at varying levels of security:

You might not think that a password like Ro11ing%ROCK!%63 would be easy to remember, but it is if you use particular techniques to come up with it. For example, if you always replace the letter l with the number 1, and put second words in all caps, and separate words with the % character, then something you can easily remember gets mapped to a seemingly incomprehensible string of characters. The individual steps for creating it are not something someone would typically guess, but you’ll have a fairly straightforward way of recalling it when needed.

And while you should not get in the habit of writing down your passwords, either on paper or electronically, if you have a large number of accounts to keep track of, some external support may be warranted. There are software programs, such as 1Password and RoboForm, whose purpose is to keep track of your authentication information in a secure manner. These programs are referred to as password management software, although they often also help store and manage other information, such as credit card numbers and PINs. Information stored in password management software is encrypted and guarded by a master password. Many of these programs provide plug-ins to your web browser that let you access your information in a secure way without ever having to type in the password at all. Such programs should be evaluated and used with care, but they may provide a good solution for keeping track of security information for the active user.

Although username and password verification is used for the vast majority of software systems, other authentication techniques do come into play. These range from seemingly insignificant situations, such as posting a comment on a blog, to high-security systems that use multiple levels of authorization.

CAPTCHA, for instance, is a system used to ensure that the information provided through a web form has been filled in by a person as opposed to a computer program. For example, some blogging software will employ CAPTCHA before a user submits a comment to prevent a malicious program from posting comments containing spam or other inappropriate material. In this case, the authorization process is not used to determine which specific human is participating, but simply that the participant IS a human.

CAPTCHA software is designed to present a problem easy enough for all humans to solve but difficult for an automated program to complete. The name CAPTCHA is a play on the word “capture,” and is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”

Most modern CAPTCHA techniques involve presenting the user with an image of a word, phrase, or string of characters and then asking the user to type them in. The image of the word is theoretically easy to decipher by a human but distorted in various ways to make it difficult for a program to “read” the word. FIGURE 17.3 shows an example of a CAPTCHA image.

If the user enters the word or phrase that matches the CAPTCHA image, then the form content is accepted; if not, it is rejected. Sometimes CAPTCHA images are hard even for a human to read, so most systems will provide an alternative image if needed.

A website developer can get CAPTCHA plug-ins from various places. The version pictured in Figure 17.3 is from the reCAPTCHA project, which, in addition to providing the standard CAPTCHA service, is designed to help digitize books. Instead of presenting random words, the reCAPTCHA system presents words that an optical character reader had difficulty deciphering. When the user types in the words (using human perceptual abilities), that information is also passed along to the digitizing organization. The reCAPTCHA system reportedly displays more than 100 million forms per day.

As discussed earlier, other techniques for user authorization include state-of-the-art techniques such as fingerprint analysis. Fingerprints, of course, are used to verify the identity of a particular person. Fingerprint analysis is considered a much stronger level of verification than username and password because it relies not only on information the user provides, but also on inherent characteristics of the user himself or herself.

Fingerprint analysis requires the use of a scanner to read the fingerprint, as well as software to compare it to the fingerprint stored in the computer of the authorized user. This approach has dropped in cost so much over recent years that it is becoming much more popular.

Some modern laptop computers have fingerprint scanner hardware incorporated into the computer itself, often near the trackpad. Users verify themselves by passing their finger over the scanner before any access is granted. For other systems, the scanner is a small but separate peripheral device connected to a computer via a USB port. FIGURE 17.4 shows a fingerprint-scanning peripheral.

Newer versions of the Apple iPhone incorporate Touch ID, Apple’s own fingerprint recognition technology. Touch ID is built into the Home button of the phone. You can unlock your phone simply by placing your finger gently on the button—you don’t have to type in your passcode. The Touch ID system occasionally has problems recognizing users, but most issues can be avoided by keeping the scanner clean and making sure the initial scan of the fingerprint is done carefully, using multiple scans with different finger orientations.