The only person you can rely on to keep your password secure is yourself. And let me tell you, you’re probably not doing enough to keep number one safe. The reason: your special lump of letters, numbers and symbols are likely spread over too many sites, not long enough and probably too personal. Most of our passwords suck. And it’s kind of a big problem.
The thing to understand is that the biggest threat to your security isn’t some creep sitting in front of your email login screen, randomly brute-forcing his way into your account. Nope, you’re up against computers that can run thousands of encrypted passwords by dictionaries of several languages, everything in the World Fact Book and Wikipedia, in a matter of minutes.
And the setup that makes cracking weak passwords a cinch is seriously nothing special. A journalist at the Tech Herald named Steve Ragan was able to crack over 80,000 encrypted passwords the AntiSec movement published on the internet in just five hours with a $US300 off-the-shelf computer and free downloadable software. One of the most surprising things he found from his password-cracking experiment: “Someone used a period. It just blew my mind.”
Leetspeak will not keep your password safe. “Numbers substituted for letters is really, really bad. Most password applications will try that before they do plain English,” says Chester Wisniewski, a senior security advisor at Sophos. Patterns on a keyboard are bad news, too. “You think you’re being clever, but you have to remember: The criminal’s a part of us.” It doesn’t require much to fell some six-character entry made from your dog’s name with some digits tacked on. “People will use their birth year. If there are four digits at the end, it’s not a remarkable coincidence that most start with 19,” says Wisniewski.
Once your password has been compromised, it isn’t just bad news for your Zappos account. If you’ve used the same login for other services, you’ve given a hacker access to more that just your shoe size and sneaker preference — you’ve opened yourself up to breaches of your Facebook, Twitter or email. Details gleaned from one can open up the next account.
OK, so all of this sucks. What can you do about it? The most important thing you can do to a single password is to make it long. “Adding one more character makes it exponentially more difficult to break — even if you don’t use silly characters,” says Wisniewski. “The password, Apple, is bad. But focusing on length, Appppppppppple with 11 ‘P’s,’ is actually really good. So size does matter.” Experts suggest a password 12-14 characters long.
The problem, of course, is remembering that many characters. (Storing your passwords in a spreadsheet or email, by the way, is very much frowned upon. One breach means access to your whole life.)
“I’m a big fan of pass phrases,” says Ragan. “It’s something that’s personal — that’s easy to remember. The longer and more random, the less chance of a dictionary crack being successful.”
Wisniewski’s personal trick is to start with a line from a favourite song. He’ll pull the first letter of each word in the line and stick them together for something that’s easy to recall but very difficult to crack. The trick gives him length — which stifles brute force attempts — and randomness — keeping him clear of anything that would pop up in a dictionary. (Actually, when many words are glommed together, the password becomes incredibly hard for computers to crack, but a long string of seemingly random characters is even more secure.) Et voila, a password that is easy enough to remember and secure enough to use.
Stephen Bono, a principal security analyst at Security Evaluators, also suggests using every tool you can on your keyboard. “Most people don’t know you can use parentheses in your password,” he says. Letters, numbers, special characters and upper case — if you’re allowed to, you should use them all.
Even with mnemonic devices and personal tricks, keeping track of the dozens of passwords we’re required to remember is pretty taxing. There are just so many other things we have to keep straight. (Rent, BTW. It’s now past due). The best thing to do? Get yourself a password manager service. These will allow you to create crazy-secure 14-character, dictionary-search proof, symbol-using passwords for every site you visit, without relying on your brain to remember all the gibberish. Here’s a rundown of a few right here.
And if you haven’t already done what Mat suggested (ahem, change your passwords!), now’s a really good time to do it.
Image: Guillaume/Flickr
DONAR
Tuesday, January 31, 2012 at 11:16 AMI tried that song lyric method once. Had to reset because I forgot the song, and couldn’t even figure it out when they sent me my string of initials. Drove me nuts for weeks.
MotorMouth
Tuesday, January 31, 2012 at 11:20 AMMy first response is “who cares”? There is only one password I use that attaches any real danger to me and that is for internet banking. The rest are just an annoyance. I don’t care, for instance, if someone hacks into my account here and makes posts under my name and if anyone else wants to co-opt my Facebook page, be my guest. I don’t use it. Seriously, hat does anyone have that is worth worrying about? I have to change my password at work every few months, so I just use consecutive keys on the keyboard – start at “1″, go down and to the right, then back up the next column. Next time, repeat the procedure, starting at “3″, then “5″, “7″ and “9″. Then back to the left-hand end from “2″. Etc., etc., etc. Massively insecure, I’m sure, but I don’t have to remember it or write it down.
monkeymind
Tuesday, January 31, 2012 at 1:42 PMAgree completely. I have very secure pwds for banking and sharetrading and really don’t care about the rest. Any site that requires an account to login to post gets one of my many ‘variation on a theme’ passwords. Which is then saved in the browser, never to be typed by me again.
Sean
Tuesday, January 31, 2012 at 11:42 AMWhy the focus on user’s poor passwords? Why not focus on the crappy design choices by website creators that force us to use passwords for everything, then force constraints on the passwords that make them harder to remember and easier to crack – which encourages re-use of passwords and insecure password recovery systems. And lets face it, no-one is brute forcing a website password if a simle delay is put into the server’s response to each attempt.
StevoTheDevo
Tuesday, January 31, 2012 at 1:32 PMDifferent passwords for different sites is great, but you’re right.. surely a simple delay like one password attempt every 10 seconds added with an account lock if 10 consecutive incorrect attempts are made would defeat brute force attacks for all but the most basic password combinations!
Stew
Tuesday, January 31, 2012 at 12:11 PMI took the plunge and now use different passwords for every single site I’m on after realising I was using the same password everywhere. If one person from one of these sites peeked at my password, they could then likely guess my email, ebay, FB etc passwords and cause me a world of grief (not my banking password though!).
I use KeePass2 to keep track of them all.
My KeePass file is in my DropBox so I can access it from my phone wherever I am should I need to retrieve a password.
Every time I sign up to a new site, I just add the details into KeePass on the go so it’s always current.
aflame
Tuesday, January 31, 2012 at 3:31 PMI use 3 passwords, 2 hard for the important stuffs and 1 crap, phone number password and a junk email for the rest.
Christo
Tuesday, January 31, 2012 at 9:33 PMThere’s some useful info here. But beware the pass-phrase turned into a password by taking the first letter of each word. It sounds random, but is incredibly predictable. eg. the letter “t” will come up much more than it should do randomly, usually about twice in each password. That’s a big giveaway to hackers.
So my advice to you is get one of the password managers (I use LastPass), and then make a truly random password and remember it using PasswordGear.