During those years that I was forced to attend middle school and high school, I chanced to hang out with a bunch of kids who were much smarter than me (er, smarter than I?) who introduced me to, among other things, the world of computers. I'll always recall fondly how one of my teachers had talked about how it was impossible to break the password scheme of our UNIX system at school, which promptly led a schoolmate and me to break the password scheme before we left for home that day, leaving a note to that effect in that teacher's .login file. (Last I checked, that schoolmate of mine became a sys admin for the computer network at SUNY Buffalo, or something like that.)

Other friends introduced me to the ins and outs of breaking software copy protection, and one even had the audacity to (gasp!) open up his computer and show me how to mess around with the hardware. These friends, likewise, went on to do great (legal) work in software engineering. At least one has already repaired to a life of semi-retirement following a cash-out before the dot com bust a few years ago.

In college, I likewise hung out with smarter-than-me friends (smarter-than-I friends?) who shared lock-picking techniques and showed me what's behind those "authorized personnel only" doors in the basements of those hallowed halls. One of these friends is now living under an assumed name in California, having married a school teacher and raising a kid without the benefits of early retirement.

As a personal hobby, I've also enjoyed studying how magic tricks and other acts of misdirection are performed. The principles are very similar to electronic and physical lock picking.

I'm such a square that I very rarely employ any of these tricks that I've learned over the years -- heck, I even pay for the songs I download -- but I'm always fascinated to learn how such tricks are done.

One of the foremost principles of computer password breaking, lock picking, and magic is these: whenever you can identify it, go for the weakest link in the chain. This sounds like common sense, but we are so easily trained to think of things and see things in a given way that we often never even consciously realize that there's an entire forest of possibility surrounding the trees we're focused on. We lock our convertibles while leaving the rooftops down. Go figure.

Pay attention. I'm actually going to say something that matters:

If you have an AOL account, a blog, or if you use Paypal or online banking, your password is pretty secure, right? Sure, it is. I'm not even being facetious. You know not to use "password" or "12345678" as your password, right? But a person who wants to break into your electronic identity doesn't necessarily have to go for your password. Why jimmy the locks if the convertible top is down?

If someone wants to get at your online identity, your weakest link (and therefore your greatest vulnerability) is probably your security question.

Many online data warehouses will, if you "forgot your password", simply e-mail your password or a password-reset link to your e-mail address. As long as you have reasonably good control over your e-mail address, that's fine. But many online data warehouses will, instead, ask a security question (possibly even one that you have picked). Upon successfully answering the question, *anyone* can be given complete access to *your* online identity.

This is particularly problematic for AOL and the major blog networks, where the user ID is already public. If Johnny Badguy wants to hijack your blog on BlogJournal, and he knows (isn't it always a 'he'?) that your blog belongs to "Victim-American", then he already knows the login ID to use. When asked the security question, well... all he has to do is look it up on the web, no?

It's like this: Johnny Badguy types in your login ID and clicks on "I forgot my password." He is then asked, "What year did you graduate college?" He then searches your blog (or elsewhere on the internet, as appropriate) for any references to your age, deduces what year you probably graduated, and then he's in. "What's your mother's maiden name?" He looks for any references you may have made to your grandparents. "Where were you born?" Again, not usually all that hard to find the clues necessary to come up with the answer.

I've been meaning for some time now to post an essay about an old car I owned, but I know I used that as a security question/answer for something, and until I track down what it was, I'm reticent to share that info online!

What's worse is if you're now under threat or potential threat by someone who knows you well. As I mentioned in a previous essay, friends of mine are getting divorced and it occurred to me: their soon-to-be-ex-spouses know the correct answers to all of those security questions! It's not enough for you to change your password! Your future Ex can still get in!

How do you close this gaping hole in your security blanket?

Make the answers to your security question something that is not obviously the correct answer. For example, "What city were you born in?" Your new answer could be, "42". Heck, you could make "42" the answer to "What's your mother's maiden name" and every other security question, as well. Unless, of course, it's generally known that you're a fan of Douglas Adams, in which case: choose something else.

My answer to every question is, of course, "That's what she said!"

I'm reticent to post this kind of information on a public forum, for fear of giving Johnny Badguy an idea that hasn't already occurred to him. But in addition to my above-mentioned friends who may be at risk, I've also recently had a good friend have his blog hijacked (I don't know if Johnny Badguy used the same technique in that case), and another colleague have her well-known-online-service screen name stolen (and this is exactly the technique that was used).

So, there. You've been warned. Update the answer to your security questions to something like, "Allan is the best."

[That's what she said!]