How to keep your accounts as secure
as possible
I don’t mean to alarm you, but – well,
actually I do. Your password strategy, if you have one at all, might be
seriously out-of-date. In the past year, several well-publicized attacks on
major online services exposed users’ passwords. For example, in June 2012, more
than 6 million Linkedln passwords were stolen and posted online. Just over a
month later, more than 450,000 Yahoo passwords were leaked. The direct damage
resulting from public disclosure of the passwords was bad enough, but the
security breaches also revealed that vast numbers of people follow dangerous
password practices that can result in far worse problems.
In
the past year, several well-publicized attacks on major online services exposed
users’ passwords
If you haven’t examined your approach to making
and using passwords recently, now is a good time to rethink your assumptions.
Here are a few important facts about passwords you may not have realized and
what they mean for you.
What you don’t know about passwords
Here are some key points to bear in mind as
you create new passwords.
Password reuse is a major danger
You know how it is every time you turn
around, another website or online service wants you to create a new password.
Because that’s so tedious to do, you may be tempted to rely on shortcuts. But
those shortcuts can get you in trouble. As a case in point, consider the common
practice of using the same password for multiple sites.
Password
reuse is a major danger
Suppose you signed up for a Linkedln
account, and you used the same password that you previously chose for your
Gmail account. Then, in June, you were one of the unlucky people whose Linkedln
password was leaked. An enterprising hacker who knew your Linkedln password
could have easily tried it with other popular services, so gaining access to
your Gmail account would suddenly be child’s play. That’s a problem not just
because someone could read or delete your email, but because you might use your
Gmail address to access or reset other passwords. After clicking the Forgot
Password link on other sites, the hacker could check your email to get access
to accounts that use those other passwords. Even reusing a single password in
two places could, in this way, cause cascading problems.
The best way to overcome a password reuse
habit is to use a password manager, such as 1Password ($50,
macworld.com/a/1155446) or LastPass (free; premium service, $12 per year;
macworold.com/a/1151444). These tools auto-generate passwords, store them
securely, and let you fill them in on websites with a single click or
keystroke.
Hackers know your password tricks
When people are faced with the need to come
up with a new password, their next-biggest crutch after reusing passwords is to
pick something that’s extremely easy to remember and type. As the lists of stolen
passwords and other security research show, a lot of people still use 123456,
password, baseball, and other simple strings. Naturally these and the next
several thousand most common passwords will be the first ones a hacker tries
when attempting to break into an account. Likewise, you should avoid names,
dates, and common dictionary words.
Hackers
know your password tricks
Appending a number to a common word (passwords1,
say) is an often-used method for complying with “Must contain a digit”
rules. And so are substituting numbers or symbols for letters things like p@ssw0rd
and using patterns of keyboard keys such as edcrfvtgb. The problem is,
hackers are well aware of such techniques. As soon as you invent a new method
for creating better passwords (such as padding a shorter password with repeated
punctuation), the bad guys adapt accordingly. So don’t count on cleverness to
protect your password. It might take a few milliseconds longer to guess 1d0ntkn0w
than Idontknow, but remember that you’re up against machines that can
make any substitution in the blink of an eye.
You want to make your passwords un-guessable,
even by someone who is smarter than you. The best way to do this is to
construct them from random strings of characters, including uppercase and
lowercase letters, numbers, and punctuation. Though it’s very hard for a human
to create a truly random password, it’s quite easy for a computer to do. So
once again, it’s better to rely on a password manager than on your brain.
14 is the new 8
Let’s imagine that an attacker is
determined to get into your account, and the quick-and-easy hacks (such as
checking dictionary words, along with common mutations) have failed. What then?
The next step for the hacker is to use brute force, trying every possible password
one by one. Unfortunately, it’s getting easier and easier to find a match with
this technique. A few years ago, a reasonably powerful system might have been
expected to check a million potential passwords per second. Today, a single
off-the-shelf PC can check several billion passwords per second, and a network
of computers can check many times that number.
All
passwords managers allows you to select the password length you want
As a result, the advice you’ve read in the
past about what constitutes a secure password may no longer be valid. For
example, a password with eight or nine random characters is no longer
sufficient to protect against a brute-force attack. Experts today recommend
that you use longer passwords, often 12 to 14 characters. And that’s for
passwords randomly generated by a computer. Passwords you create by hand must
be even longer to have the equivalent strength.
All passwords managers allows you to select
the password length you want; and my advice is that for any password that can be
entered for you by an app (or copied and pasted), you might as well use the
longest password the target service will accept. After all, the same keystroke
that fills in a nine-character password can fill in one with 14 characters.
Of course, you must still commit certain
passwords to memory or, for one reason or another, enter than manually. For
such passwords, you can use a longer but less-complex character string to
achieve comparable security.
