Why We're Losing The Password War

LinkedIn, eHarmony, Yahoo -- it seems like we hear about a new hack just about every week now. We all know the password rules -- don't use your mum's maiden name, don't use your pet's name, use numbers and random letters. But despite those guidelines, we could be more screwed than we think.

Ars Technica has a good look at why it's such a problem. You see, our passwords are spreading across more and more accounts while technology makes cracking passwords easier. As Ars explains:

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers..

Each time a hack happens, crackers become more attuned to the types of passwords people use to protect their accounts and the techniques they employ to make these codes more difficult to uncover. Now they have entire lists full of passwords as a model. A couple of big hacks turned the tide in 2010 -- one of them hit RockYou, another hit Gawker -- but since then they're happening more and more often, as Ars notes:

Almost as important as the precise words used to access millions of online accounts, the RockYou breach revealed the strategic thinking people often employed when they chose a passcode. For most people, the goal was to make the password both easy to remember and hard for others to guess. Not surprisingly, the RockYou list confirmed that nearly all capital letters come at the beginning of a password; almost all numbers and punctuation show up at the end. It also revealed a strong tendency to use first names followed by years, such as Julia1984 or Christopher1965.

So what's the solution? Honestly, beyond everything you've already heard a million times about changing your passwords frequently, there may not be one. Head over to Ars if you're prepared to feel even less secure than you already do. [Ars Technica]

Image: Yellowj/Shutterstock



    What I do is I have an algorithm that I create in my head and then stick to it.
    This has the ability to make each password you create different while being easy to remember.

    The algorithem can be anything you like but include the name or part of the name of the site you are on.

    So you could put a common number and symbol you always use lets say 54# then 2 letters from the site you are on (ebay = eb) so now its 54#eb then some rendom thing you always use 9T so now the password is 54#eb9T then the rest of the site you are on (ebay = ay) so now your password is 54#eb9Tay .
    Anyway you get the picture. this makes it harder to guess whyle easy to remember and you dont use the same password on every site you use.

    Have fun.

      I have a similar process. For shopping sites I use a standard 'stem' containing a mix of alphanumerics and prepend a couple of letters to the front to represent the last item I bought, then change it every time I buy something new. Works fine for sites I don't buy from a lot. I'd be careful with your example as it doesn't take much work to realize the name of the site is in the password. If your password is cracked they could re-use it on other sites and just substitute the site name where you had the be and ay. Although I suspect that few hackers would bother trying to interpret and reuse your password when they might have thousands of others to play with. Probably more of a risk if someone were to see you inputting your password and figure it out from there

      So, as long as I get one of your passwords, I get all of them?


      I like to use several words intertwined with numbers and letters. For example you could use: gizmodo1Technology2blog# – or any variant thereof

      This means that all you need to know are words and the password is stupidly long. You could also maintain an 'algorithm' to remember them all.

    Lastpass + 2 Factor authentication. Problem solved.

      Now everyone knows!!! ,

      Not really, I use Last pass and randomly generate every thing!

      I'm a Keepass user myself, but same principal, generate the most complex passwords I can for each site, never reuse a password, and always use 2 factor authentication where possible.

    To be honest. I think the best strategy is to have really strong passwords, write them down and keep them in your wallet with a 'backup' copy stored somewhere else in case your wallet is stolen and you need to change them. When was the last time you had your wallet stolen? I've thought about services like lastpass, but I worry what happens when they get hacked. The thing is you don't need to write the site address or username on the paper with the password as the different passwords will look different and you'll be able to recognize at least some of the component elements as being for a particular site. For extra security, you can have a process of always substituting particular alphanumerics with others that are written down. So, for example, if the password contains an 'X' always replace it with a '!'. I'm guessing most people who might steal/find your wallet will have a go with a couple of the passwords on the more popular websites but won't have the skills/equipment to use those passwords as a seed for a brute force attack. And anyway, they're probably too busy using your credit card at the bottle shop to stuf around with the passwords.

    I know Giz has done a password management story before, but could you guys do it again please? Thanks :)

      Seconded, but maybe a newer one written with this info in mind.

      It seems every article I see about password management says something different! There's nothing definitive.

    I'd like to see a story explaining how all this password hacking occurs. All this talk about longer passwords being better even if they are common words or phrases doesn't make sense. How can you brute force a web site to work out a password? Surely it would take forever even for a computer to work though millions of combinations by typing them into the eBay login page. Is all this stuff about salting/dictionaries/brute force just in relation to hackers gaining master password lists from companies and hacking the encryption?

    I've often wonder why a commercial USB stick solution hasn't been developed. A stick with a rediculously difficult password encoded on it where you can only access your sites when its plugged in. It means you would have to carry it with you everywhere but I could imagine it could be easily desinged into a peice of jewellery.

      Something like this? #quickgooglesearch http://www.securemetric.com/index.php

    Are you guys seriously discussing how you like to think up your "secure" passwords?

    ThebestpasswordisonethatislonG the longer a password is, even if it becomes just lowercase letters without numbers the longer it will take to brute-force crack.

    The advantage with ThebestpasswordisonethatislonG is that you can add the sites name after it, or inside it to ensure that ThebestgizmodopasswaordisonethatislonG remains unique AND easy to remember.

    Doing that math on that password's entropy ... about 35,000,000,000,000,0000,000 years to bruteforce crack using the fastest known method.

    Why can't login pages have a 10 sec timer between attempts ? Them no more brute force. Duh!!

Join the discussion!