How to create one you’ll remember, and computers won’t guess
 |
Don’t believe proclamations that the password is dead. Even with
increasingly sophisticated software programs able to rapidly burn
through an endless array of possible character combinations, the
password is not only alive, but as important as ever.
“Passwords are the bane of our existence, but they’re here to stay,”
says Hilary Schneider, president of LifeLock, an identity-theft
protection company.
Think of the password as a mouse trap. As simplistic as it seems,
there’s nothing out there more effective and straightforward for
accessing sites likes your bank and favorite retailer. “A better system
can be developed but it needs to be easy to use before it can have the
widespread adoption to abolish the use of the password,” says Cameron
Camp, a security researcher for ESET, an antivirus and Internet security
provider. “If it’s not convenient, you won’t transact with the bank as
much and the bank loses revenue.”
We’ve been told time and again how important it is to have tricky,
unique passwords that are known to no one but ourselves. We should make
them long and add numbers and symbols to fool the fraudsters combing the
Internet for access to our records.
And we should always, always have different passwords for each site.
But apparently, we’re not listening very well. The annual
compilations of “worst passwords ever” are numerous but remarkably
similar in their results. Moreover, the top 25 or so passwords are held
by an alarmingly large number of people.
If you have any one of these as your supersecret word, consider
yourself a hacker’s target: password, qwerty, 123456, abc123, admin,
111111, shadow, letmein, trustno1, iloveyou, love, football, baseball,
monkey, master, batman and common names like michael, jordan, even
jennifer.
Why do we do it? It’s just too hard to remember so many different
passwords. Our memory function doesn’t grow as our list of
password-protected sites does. We want a system that will make sense to
us and that we can use again and again without putting much thought into
it.
“People don’t do this because they’re dumb and want to be hacked,”
says Markus Jakobsson, a security-research expert and an adviser to the
newly formed Council for Identity Protection. “It’s a matter of mental
overload. Nobody can remember 150 passwords.”
So what we do instead is take a word, say “happy,” and add a number
to it, giving us a password of “happy1.” If a password-strength checker
says that’s weak, we then capitalize the first letter and add a symbol,
ending up with “Happy1!”
“It’s fairly easy for the attackers to guess this,” Jakobsson says.
And changing the 1 to a 2 when phishing on another bank or social site
requires little extra effort.
In big breaches where passwords are stolen from major companies,
hackers typically write a short computer program to sort all the
passwords out. They find a number of common passwords and start applying
them to random bank accounts with your name. For example, if the
password on your LinkedIn account is “letmein1,” the hacker will run
that password and your user name against accounts at Bank of America,
Chase Bank, Citigroup and Wells Fargo, for starters — just to see if
maybe you have an account there.
If that doesn’t work, they may change the password to “letmein2” and then “letmein3” and so forth.
“If a fraudster knows that one out of 10,000 people has one of these
very common passwords and he does this to 10,000 people, he will get
access to an account,” Jakobsson says. Remember that the bad guys aren’t
physically typing your name and your lame password onto the banks
sites; a software program is doing it.
Jakobsson, who has analyzed and written about the passwords of
consumers whose accounts were compromised at large companies, thinks the
best way to remember large numbers of passwords is to develop a system
to compartmentalize them. Think of a story — say, a situation or an
experience that is unforgettable — and come up with three or more words
to describe it. Let’s say you were at an outdoor concert and it poured
rain, creating mud puddles as big as ponds throughout the area. You
slipped in the mud, face first and lost your cell phone in the process.
Your password can then be “Mudcellconcert.”
Now use that password on all of your social-media sites, but mix it
up with a code. For Facebook, the code could be “Red,” so your password
becomes “MudcellconcertRed.” And the Twitter account code could be
“Periwinkle,” so that password then is “MudcellconertPeriwinkle.”
Use different stories for different groups of accounts. Your
financial accounts, for example, could be tied to a time when you
mistakenly double-paid on a bill and thought you had a windfall on the
account. Your password could be “TwoX$$justdumb” with the code to your
bank account as “Maple” for “TwoX$$justdumbMaple,” and as “Birch” for
your 401(k) account for “TwoX$$justdumbBirch.”
Jakobsson scoffs at the contention that the longer the password, the
better it is, or that all passwords need numbers and symbols. It
depends instead on what the contents are. A “Mudcellconcert” password is
only 14 characters, compared with the 18-character
“Mississippiburning.” But it is far more secure because it has more
components — three vs. two — and with parts that aren’t easily
associated with one another.
“Length by itself is not a surefire way to measure the strength,” he
says. “A password is secure if it’s hard to guess and not common.”
There, of course, are companies like Kaspersky Password Manager,
KeePass Password Safe and myLock Password Managers springing up to help
you manage the myriad of passwords. They work by encrypting the data
through software that’s installed on your computer or smartphone. But
that will cost you.
Eventually, we’ll all have layers of password security, Camp
predicts. It could be a one-time password that comes to a keychain or
fob plus your own password or biometric for authentication. “It will be
something you know and something you have,” he says.
Until then, come up with a story — and stick to it.
No comments:
Post a Comment