« Library 101 - Signups now open for four-week online course (with me) | Main | Library of Congress will hold library copyright roundtables in March »


As to risks associated with weak passwords (PINs) in the public library, I've found more at this web site than anywhere else. I could not have guessed that the Library Elf and RSS discoveries, which are new and surprising to me, would have brought forward concerns about weak library account passwords.

I don't weigh the issue of liberty-ensuring privacy and the issue of personal safety against each other on an importance scale. To me, both are vital; however, persons who belittle the former might, I hope, understand the latter.

In the library context particularly, I'd rather feel no need to think like the hypothetical perpetrator of harm against a library account user. But we need to do it.

As described in posts and comments to this web site, one's account number might be obtained in a few ways within the physical library, electronically or otherwise. The account number might be read, inside or outside the physical library, from the library card or from a receipt or other paper item given at the circulation desk. A mailed notice might contain the account number. An acquaintance or former intimate, one of which a stalker is likely to be, may have or have had access to the library card or the paper items stating the account number.

Once in possession of the targeted person's library account number but without the PIN password, the stalker can begin cracking. A PIN composed of four numeric characters is one of only ten thousand possible numbers. Birth date, street address number, and telephone number are likely sources from which the PIN may be composed. Even without those clues, certain parts of the numeric range are more likely to contain the password; for example, many of us recall few historic dates outside of 1776 through 2006. Moreover, if the stalker is hasty, he may resort to password-cracking software.

The obsessive, perhaps jealous or resentful stalker might find very interesting the library materials selected for reading, viewing, or listening. A selection might concern, say, building a loving relationship (when the stalker knows that he is not the loved one), or divorce, or child custody, or disease.

Should the stalker wish to draw near to the targeted person, due dates are dates of likely visits to a particular library campus. Dates when requested materials are ready for pick-up are at least as likely to be dates of library visits by the targeted person. If the account does not state whether a requested item is ready for pick-up, that fact might be ascertained through social engineering, calling and pretending to be a spouse, relative, or close friend.

Safety vulnerabilities resulting from weak passwords need to be taken seriously by more public librarians, public library administrators, and public library boards of trustees.

Indirect harm may result from a lesson implied by requiring or requesting creation of a weak password. The public library PIN password is the first password that many persons create. If a weak password is good enough the first time, and no obvious harm results, will there ever in life be any need for a strong password?

The SIRSI automation of our public library system allows a password (termed PIN) to comprise up to ten characters; in the preceding DRA system the requirement was four numeric characters, or so we were told. Applicants are still told that the library system would like you to compose a PIN of four numeric characters, despite the option (stated, unbeknownst to many, in the library system's web site) to use up to ten characters.

The behavior described above occurs in a large, award-winning county public library system located in metropolitan Atlanta.

I am not confident that this comment will survive transmittal. If so, I may later comment on risks.

I definitely have too many passwords and PINs. What I'd like to see with my library records and bank records would be a wall that didn't allow anyone in, including me, unless I first set up an authorization (in person is best). In both cases, this hasn't been true - both my library and my bank have already set up online access to anyone with my info. I'm not crazy about the fact that it's up to me (not to mention old-age pensioners) to take the initiative to change the default passwords. Assuming I do want online access to my library and bank records, then I'd like to be the one to decide if I create an easy password (if I don't care if someone else gets in) or a stronger password with eight alphanumericsymbol characters.

As for email, it may be more secure than RSS (at least as fed into public RSS readers like Bloglines), but libraries should probably be warning patrons that it's not all that secure either. Email, as you know, is like a postcard that hops from computer to computer, with lots of possible eyes along the way. I'd like to see easy encryption so that emails wouldn't have to be in clear text. I'm still looking for a way to try out easy encryption - I've tried to figure out PGP without success. If someone who uses encrypted email is willing to help me (if it can be done in a simple-idiot-style), I'd be grateful.

I do, however, have some enthusiasm and optimism about RSS and patron records, even with Bloglines-type readers. Using the Ann Arbor model, giving no personal names or other identifiers, as far as I can figure, a snoop would have to crack into someone's personal RSS reader (even Bloglines) to try to identify who has all those herpes books checked out... right? And even that may not give them enough clues...

"(2) Libraries could greatly strengthen the passwords needed to get in. Don't use card numbers and phone numbers. Let patrons set up their own user names and strong passwords."

This reminds me of the big to-do when the Social Security Administration was offering people's retirement info online. You had to type in 3 or 4 bits of information - your SSN, your date of birth, your place of birth, your mother's maiden name (I'm making that one up because I don't remember them all)... And immediately someone showed that it wasn't all that hard to gather this information about someone and their their retirement report. So lots of people said: they should have a pin or a password.

OK, how many pins do you have? How many passwords? Are there ones you use only every few years, and you still remember? How many old-age pensioners know how to create a secure password? How many will forget it immediately? How much time do you want to spend helping people remember their passwords?

The SSA had done what I think was the "right thing" -- they had required detailed information that people would know about themselves as a means of identification. I checked on my bank's web site at the time, and to set up online access to my account with my bank required 3 or 4 pieces of information, mostly the same ones that the SSA required -- and with my bank, getting on includes the ability to transfer funds, not just look at things. Essentially, identifying yourself online is broken broken broken, yet we do it every day. No wonder there is rampant identity theft. Actually, it's a wonder there isn't more.

Basically, passwords and pins are minor security, at best. They only work well for things that we use frequently. And they work less well with the very young and the very old, or just the very forgetful.

The Elf problem was not that someone could tap into your account, which they can do easily on some library ILS's (the paper records from my library's RFID system that shows what I checked out have enough info for someone to log onto my account in the ILS, yet there is no warning to keep those paper receipts secure) -- it was that your records were being shown publicly to anyone who did a search on an RSS aggregator that was ignoring "private" settings. This means that RSS is not a good technology for private information. It should be fixed, or something else should be developed that will perform the function privately. Library systems should avoid using technologies that have shown themselves to not meet our privacy standards. It's too bad, but that means that we're back to e-mail until the RSS problem is fixed.

The comments to this entry are closed.