Is there such a thing as a secure password? It seems like every month or so there is a similar announcement. Last month Yahoo! was hacked, with hackers exposing something like 450,000 user passwords. The month before that, it was LinkedIn where 6 million user passwords were exposed. And these are just the latest episodes.
You (the user) has no control over the security (or lack of it) by an online service such as Yahoo! or LinkedIn. But there are efforts daily by hackers to log in to user accounts by guessing passwords – there are even automated programs (downloadable on the internet) to automatically try to repeatedly guess insecure passwords, and take over your account.
The message from these attacks is not that you shouldn’t use these services (though you should not use them without thinking about the security implications, and whether or not you really want to put your information in that semi-public location). The real lesson is found in the passwords that were disclosed.
[pullquote]Password security is a myth.[/pullquote] Sooner or later some site you use will be hacked, and your password will be stolen. From that time on, unless you can change your password before the hacker gets into your account, they will own your account.
Is there better security than passwords?
The short answer is “yes.” One way is rarely used, but it is called public key security. Briefly, you would use software to create an encrypted key. You keep a private version and a public version would be uploaded to sites you use (like Yahoo!, LinkedIn, etc.), and the two must be used together to gain access. However, most of today’s sites and web browsers simply aren’t ready for this.
Google has come up with an intermediate approach, called “2 step verification.” To use it, from your Google accounts, go to Settings -> Security, and set it up. You will create a very complex temporary password that you must paste into some applications, like a smartphone or tablet, and you also continue to use your normal password. They can also use a code texted to you as authentication. If you haven’t enabled this, you should, as it is much more secure than simple password authentication.
Can passwords be more secure?
Yes and no. No password, no matter how complex, is secure if someone can gain access to it through a site’s security failure, like those of LinkedIn or Yahoo!. However, a strong password will prevent hackers, and most automated password cracking software, from guessing the password.
Even though using secure passwords, and different passwords for different services, is inconvenient, consider the most common passwords revealed by the recent breaches. The most common passwords disclosed were:
None of those are terribly difficult to guess.
Here are some best practices for secure password usage:
- Don’t use personally identifiable information (name, address, birthdate, wedding date, pet’s name, child’s name, hobby, school
- Don’t use words that can be found in the dictionary as your password
- Don’t use your login name from one service as your password on another
- Don’t use the same password on a banking site as on social media sites (or email sites, for that matter)
- Use at least 8 characters for your password (longer is better). At one time only the first 8 characters were relevant for passwords on Windows computers, but that day is long past.
- Never give your password to anyone over the phone or on social media
- Use special characters (the ones that are not letters or numbers) in your password
- Don’t write down your passwords (and especially, do not tape them to the bottom of your keyboard!), but use a password “wallet” application on your computer to store complicated passwords – and use a complicated password you can remember to access it
- Change critical passwords regularly
- If you can’t manage to use different passwords for everything, group things into categories, like Private (for financial sites), Personal (for email accounts), Public (for social networking), and Business (for email, directory listings, etc.), and at least use different passwords for each category.
- When you choose a password, instead of using a word or name, think of a favorite quote (preferably not a common and well-known one) and use the first letter of each word, then substitute something you might remember for some of the letters. For example, “Now is the time for all good men to come to the aid of their country” becomes “Nittfagmtcttaotc”. That can be further modified by substituting the number four for the “f” from the word “for”, yielding “Nitt4agmtcttaotc”. The double-t’s can become “2t”, and the final “c” could be an opening parenthesis “(” so the actual password might be “Ni2t4agmtc2taot(“. Please don’t use this one, as it is hardly “secure”. You can substitute numbers for vowels (such as 3 for E, 1 for I), and you can even include a comma or other punctuation to help make the password less easy to guess.
- If you suspect that the password may have been compromised – whether by a hack of the site, such as the examples mentioned above, or by a careless email or other way it may have been revealed, change it immediately.
It is less convenient to be secure. However, the alternative is allowing hackers access to your private and personal (and possibly financial) information.
A year or two ago a writer, with permission, attempted to access a person’s email. He was unable to guess her password for her Yahoo! account, but guessed her security questions, then reset the password, locking her out. From the information in her email, he was able to gain access to her bank account, her Facebook account, and several other sensitive areas. It is really much easier than you might think to connect the dots.