Monthly Archives: June 2012

Picking Better Passwords

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

With the news that millions of LinkedIn passwords were compromised last week, we should all reconsider what passwords we are using and whether they are secure enough for our needs. As with most security issues, there is always a balance between having a password that is easy enough for you to remember but too difficult for someone else to guess. This article discusses some strategies and tips for creating and managing stronger passwords.

What Is a Bad Password?

Not all passwords are equal, and there are many that should simply be avoided for most applications. It goes without saying that “password” and “12345” are terrible passwords. A good lists of these “bad” passwords can be found here. In general, though, a bad password is one that is:

  • short (less than 8 characters)
  • a single word (in any language) that can be found in a dictionary
  • something that is readily identified with you (e.g., your name or your spouse’s, children’s, or parents’ name; the street you live on or the city you live in, etc.)
  • a variation on your login or username
  • adjacent letters or numbers (e.g., qwerty, 12345, abcde, etc.)

Looking through lists of bad passwords can be very enlightening and can give you some ideas of passwords to avoid.

What Is a Good Password?

Now that we know what types of passwords are not great, what types of passwords are better? A good password likely will have many of the following characteristics:

  • longer than 8 characters (generally, the longer the better)
  • have a mix of upper and lowercase letters, numbers, and symbols
  • be unrelated to any readily identifiable information about you

Again, there is always a balance between ease of use (i.e., something you can remember) and the strength of the password. A long string of random letters, numbers, and symbols is potentially very secure, but is, counterintuitively, not likely to be a good password if you can’t remember it. If you have to write down your password on a piece of paper in order to use it, your password is only as good as the security you have in place to protect that piece of paper.

Thankfully, there are a number of techniques you can use to create stronger passwords that you can remember. One of the most common is to use the first letters of a phrase. For example, if you choose the phrase “To be or not to be, that is the question,” the password would become “Tbontb,titq”. That seemingly random set of letters and symbols would not be susceptible to a dictionary attack (in which the attacker simply tries all the words in the dictionary), but would still be easily remembered. [For the record, this is such a common phrase, that it is likely a bad password. Choose a more obscure sentence or phrase to use, instead.] We could make this password stronger by changing some of the letters to numbers. For example, the “o” could become a zero and the “i” could become a one—so, the password would be “Tb0ntb,t1tq”.

Another common technique is to use unrelated words separated by numbers or symbols. The key to this approach is taking advantage of using the strength of longer passwords and introducing numbers and symbols to avoid dictionary attacks. For example, you could use “fruit25lawnmower#%”. For added strength, you could capitalize some of the letters and change some to numbers—“fRU1t25LawnM0wer#%”.

This is an interesting website where you can enter passwords, and it will assess their relative strengths. As always, you should be cautious about entering any passwords you actually use or intend to use. You can, however, enter similar passwords and begin to get a sense of what makes a stronger or weaker password.

More Dos and Don’ts

Now that we have talked about good and bad passwords, there are a few other points you should consider in managing your passwords.

The strength of your password should reflect the importance of that account to you (or your employer). Very important accounts, like your bank account, should be given the strongest password you can reasonably remember that is different from any other passwords you use. You should also consider regularly changing it in case it becomes compromised without your knowledge.

E-mail accounts should be considered important accounts and given stronger passwords. There can be a real danger if someone gains access to your e-mail account. For example, once you know someone’s username, many websites will allow you to reset the password by sending an e-mail to the registered address. If an attacker gains control of your e-mail, he or she can then reset the password to your bank account (or any other account).

Ideally, you should have a different password for every account or website. That way, if one password is compromised, it won’t compromise your others. Unfortunately, it can be difficult to remember which password you used with which account. To help with this problem, you should consider using a password management program that stores all of your passwords in one location (and is often designed to easily enter those passwords into website forms). These programs then use one master password to unlock all of your passwords. They can be very convenient and useful programs because they allow you to keep track of all of your passwords in a secure way. But, you are putting all your eggs in one basket, so the master password you choose should be strong and access to the program limited.

Finally, don’t write your passwords down on post-it notes on your computer monitor or in other easy-to-find places. If your password is too hard to remember, think about creating a different one that you can remember. On the other hand, it can make good sense to keep your passwords written down in a secure location in case you forget them, especially if the account provides no way to reset the password. Ideally, you should keep them in a locked location, though.

Parting Thoughts

Having a good password requires some discipline and can be inconvenient at times. However, it can be far more inconvenient to have your account hacked and your money or information stolen. Taking a little time now to really think about how to create and manage your passwords can save you a lot of hassle in the future.

Advertisements

Western District of Pennsylvania Adds Two New Designated Patent Judges

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

As reported earlier, the United States District Court for the Western District of Pennsylvania was chosen to be one of 14 District Courts nationwide to participate in a 10-year Patent Pilot Program to study the effects of providing specialized patent judges on patent litigation. On October 12, 2011, the Court issued an order setting forth the procedures it will use in implementing this program. Among other things, the Court identified four judges who are designated as the official Designated Patent Judges for the Court:

Under the Court’s guidelines, patent cases are still randomly assigned to all Judges in the District, regardless of whether they are Designated Patent Judges. However, a non-Designated Patent Judge has the option of declining the case. If he or she does so, the case will be randomly reassigned to one of the Designated Patent Judges.

Since the Court’s implementing order, it has added two new Designated Patent Judges:

The Court has created a special Patent Pilot Program page on its website, which has a variety of information about the program, including the Court’s Local Patent Rules.

Rogers v. Tristar Products–Federal Circuit Dismisses Pending Patent False Marking Appeal

by: Robert Wagner, intellectual property attorney at Picadio Sneath Miller & Norton, P.C. ()

When President Obama signed the Leahy-Smith America Invents Act, H.R. 1249, 112th Cong. (1st Sess. 2011), the patent false marking claims that had become so popular were essentially eliminated. Whereas before anyone could bring such a claim, regardless of whether they had actually suffered any injury, now only those who have “suffered a competitive injury” as a result of a violation of the marking statute have standing to sue. (See 35 U.S.C. § 292). The America Invents Act not only prohibits persons who have not suffered a competitive injury from suing in the future, it also divests the standing of plaintiffs in pending false marking cases from continuing to pursue those claims.

In Rogers v. Tristar Products, Inc., 2011-1494, -1495, the Federal Circuit had to decide if that divestment included cases on appeal, as well as cases current pending in district courts. After considering the clear language in the newly amended 35 U.S.C. § 292—“The amendments made by this subsection shall apply to all cases, without exception, that are pending on, or commenced on or after, the date of the enactment of this Act”—the Federal Circuit determined that all cases must be dismissed, regardless of where they were pending or what procedural posture they may be in, unless the plaintiff could demonstrate that it had suffered a competitive injury.

The Federal Circuit rejected plaintiff’s assertion that he had a property right in maintaining such a claim or that the retroactive elimination of his claim violated the Due Process Clause. The Court found that Congress had a legitimate justification for eliminating these types of claims and rationally made the requirements retroactive.

The America Invents Act has effectively eliminated the nascent cottage industry of individuals suing companies for leaving expired patent numbers on its products. Companies no longer need to fear that they will be sued in such circumstances by individuals who likely have never used the products in question. Despite this, companies still need to be concerned about monitoring their products to make sure that they are appropriately marked. In the high stakes of patent litigation, defendants are still likely to look at whether they can bring false marking counterclaims if they are sued. As a competitor, it will be far easier (although by no means certain) to establish a competitive injury.