September 20, 2012, 11:49 AM —
Remember when email used to be good? That was before spammers took over. Now it’s become a necessary evil -- a total time suck that’s less and less useful with each passing day.
That’s how I feel about passwords. They used to be a reasonable way of guarding access to important accounts. Now they’re a nuisance – and worse, a major security risk.
Just ask Matt Honan, the Wired writer who got his life turned upside by hackers intent to steal his Twitter account (and who decided to trash his life along the way). Their ability to social engineer his Apple ID, Amazon, and Gmail passwords – and then use them to wipe out the data on his Mac, iPad, and iPhone – made his life a living hell for a while.
The problem with passwords is that there are too many of them. Every bleedin’ site seems to require one now, plus a separate password if you want to log into their commenting system. And some of them are getting downright annoying about it – requiring “strong” passwords with 8 or more characters, a number and a capital letter in each one. Like we all have the time and brain capacity to remember 1bxQutly or Jb77rWZa for every site.
Is there any wonder why the most popular passwords are things like “password,” “welcome,” or “123456”? Like email, passwords used to work beautifully and now are hopelessly corrupted.
So, to summarize: Passwords suck. Unfortunately, the alternatives aren’t great. Sure, biometrics may one day offer a solution (if they don’t completely eviscerate our privacy first). Multi-factor authentication adds a layer of security to a password, kind of like a deadbolt on a door, but could eventually prove even more annoying than passwords if it’s widely adopted.
Some day we may even have a federated identity system we can log into once that will securely identify us across multiple sites without the need for passwords. And maybe that day will come before I’m dead. In 2011 the Obama administration launched the National Strategy for Trusted Identities in Cyberspace. Given that this is a government-driven initiative, though, I’ll probably need to live a long life to see that become a reality.
In the meantime, we’re stuck with passwords. What can you do? Here are four ways to bring sanity to passwords.
1. Use a password manager
You can get a password management program, preferably one that lives in the cloud so you can log into it from any device and use it on your PC, phone, tablet, etc. They will even offer to create random passwords for you, and delete your old easy-to-guess ones.
The advantage to a password manager is that there’s only one stupidly complicated password to remember. The disadvantage is that it’s a bit like getting married; once you make the leap you’re either in it for the long haul or you’re facing a nasty divorce.
To be honest, I have yet to find one of these I truly like. I tried Roboform for a while but wasn’t very happy with it; I’m testing LastPass and Dashlane right now, and the jury is still out. I’m not finding any of them very intuitive, though that may be in part because I’m hesitant to commit to one and go full steam ahead.
2. Pick your spots
Alternately, you can simply decide which accounts you really need to protect and forget about the rest. Start with your bank accounts and the email account where all your password resets are sent. Protect those with a long password (see below) and choose a different password for each of those accounts. As for the rest, pick one reasonably strong but memorable password and recycle it.
I realize that’s not the advice what most people will give you. But do the cost/benefit analysis and you’ll see why I say this. Does it really matter if someone somehow guesses that password and hijacks your LinkedIn or Twitter or Facebook accounts? Sure, they can mess with your online resume, send offensive tweets in your name, or post stupid things to your Wall. And you’d have to go in later to change your passwords back, restore your work history, and apologize to your peeps if the hijacker offended them or tried to scam them.
But many of these accounts have ways to alert you if your password has been changed; you’d have to be pretty dim to allow someone to go wild on your accounts for months without noticing. And really, why would they? The odds of this happening are almost infinitesimal. Weigh that against the time spent trying to create and remember a different password for each one of these.
3. Forget “strong,” think long
You know that advice people always give about choosing complex passwords with multiple letters, numbers, and capitals? Forget about that. As long as you’re not using the obvious examples (your name, common words, “password,” etc), the most important thing is how long the password is, not how incomprehensible to humans.
Hackers start with the obvious passwords everyone uses. If those don’t work, they go to brute force dictionary attacks where they throw millions of common words against your login screen in the hopes of finding the right one. If that doesn’t work, they have to use a password-cracking program that throws random combinations of characters at it.
So, the longer your password is, the harder it will be to crack; it doesn’t matter whether the correct password is 1Xcv34mgrtRI9q00ty!Ov$ or suckonthisyouslimeball -- to a password cracking algorithm they’re essentially the same.
The solution, then, is to pick a long password that will take that algorithm centuries (or longer) to compute. Me, I like to use song lyrics with no spaces. Like
Sure, it takes longer to type, but it’s easy to remember. Just don’t pick something obvious or inane, no matter how catchy it is. (Callmemaybe? Seriously?)
[Update: Interestingly, security and privacy god Bruce Schneier recently posted an interesting piece on password cracking that echoes much of what I have here. Worth a read.]
4. Don’t be stupid
If someone is truly determined to hack your password, they will go beyond a dictionary attack or password cracking software. The first thing they’ll do is try to get you to reveal your password by pretending to be someone or something else. They’ll send a phishing email to you that looks like it’s from a legit site but sends you to a fake site that captures your logins. They’ll infect a Web page or a PDF file with malware that detects when you’re trying to log into your bank, captures your keystrokes, and sends them to some greasy cybercriminal in Lower Slobovia. Or they will hijack your session via a man-in-the-middle attack, passing messages between you and the site without you even knowing it. Later they’ll use your information to log in and have their way with your account.
These days US banks are required to employ multifactor authentication – either asking to identify a picture, plug in a randomly generated PIN sent to you via text, or verify the machine that’s attempting to log in and flag those that are unknown to it. Other sites? Not so much. It’s the wild wild west out there.
But the defense against most of these attacks is pretty straightforward: Be smart. Learn how to identify and avoid phishing attacks. Don’t give your password out on the phone to someone who calls you. Install a decent security program that scans Web sites before you visit them and flags suspicious ones. Upgrade your browser – most modern ones have tools that watch out for bad sites. Don’t open strange PDFs or other email attachments you didn’t ask for. Set up your accounts to alert you to suspicious activity and keep an eye on them. And so on.
It’s not difficult. And while it takes a bit of effort, it’s still safer and easier than trying to remember 37 different passwords that look like ransom notes.
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.
Now read this: