The only person you can rely on to keep your password secure is yourself. And let me tell you, you’re probably not doing enough to keep number one safe. The reason: Your special lump of letters, numbers, and symbols are likely spread over too many sites, are not long enough, and are probably too personal. Most of our passwords suck. And it’s kind of a big problem.
The thing to understand is that the biggest threat to your security isn’t some creep sitting in front of your email login screen, randomly bruteforcing his way into your account. Nope, you’re up against computers that can run thousands of encrypted passwords by dictionaries of several languages, everything in the World Fact Book, and Wikipedia in a matter of minutes.
And the setup that makes cracking weak passwords a cinch is seriously nothing special. A journalist at the Tech Herald named Steve Ragan was able to crack over 80,000 encrypted passwords the AntiSec movement published on the Internet in just five hours with a $300 off-the-shelf computer and free downloadable software. One of the most surprising things he found from his password-cracking experiment: “Someone used a period. It just blew my mind.”
Oh, and note: Leetspeak will not keep your password safe. “Numbers substituted for letters is really, really bad. Most password applications will try that before they do plain English,” says Chester Wisniewski, a senior security advisor at Sophos. Patterns on a keyboard are bad news, too. “You think you’re being clever, but you have to remember: The criminal’s a part of us.” It doesn’t require much to fell some 6-character entry made from your dog’s name with some digits tacked on. “People will use their birth year. If there are four digits at the end, it’s not a remarkable coincidence that most start with 19,” says Wisniewski.
Once your password has been compromised, it isn’t just bad news for your Zappos account. If you’ve used the same login for other services, you’ve given a hacker access to more that just your shoe size and sneaker preference-you’ve opened yourself up to breaches of your Facebook, Twitter or email. Details gleaned from one can open up the next account.
Ok, so all of this sucks. What can you do about it? The most important thing you can do to a single password is to make it long. “Adding one more character makes it exponentially more difficult to break-even if you don’t use silly characters,” says Wisniewski. “The password, Apple, is bad. But focusing on length, Appppppppppple with 11 ‘P’s,’ is actually really good. So size does matter.” Experts suggest a password 12-14 characters long.
The problem, of course, is remembering that many characters. (Storing your passwords in a spreadsheet or email, by the way, is very much frowned upon. One breach means access to your whole life.)
“I’m a big fan of pass phrases,” says Ragan. “It’s something that’s personal—that’s easy to remember. The longer and more random, the less chance of a dictionary crack being successful.”
Wisniewski’s personal trick is to start with a line from a favorite song. He’ll pull the first letter of each word in the line and stick them together for something that’s easy to recall but very difficult to crack. The trick gives him length—which stifles brute force attempts—and randomness—keeping him clear of anything that would pop up in a dictionary. (Actually, when many words are glommed together, the password becomes incredibly hard for computers to crack, but a long string of seemingly random characters is even more secure.) Et voila, a password that is easy enough to remember and secure enough to use.
Stephen Bono, a principal security analyst at Security Evaluators, also suggests using every tool you can on your keyboard. “Most people don’t know you can use parentheses in your password,” he says. Letters, numbers, special characters, and upper case—if you’re allowed to, you should use them all.
Even with mnemonic devices and personal tricks, keeping track of the dozens of passwords we’re required to remember is pretty taxing. There are just so many other things we have to keep straight. (Rent, btw. It’s now passed due). The best thing to do? Get yourself a password manager service. These will allow you to create crazy-secure 14-character, dictionary-search proof, symbol-using passwords for every site you visit, without relying on your brain to remember all the gibberish. Here’s a rundown of a few right here.
And if you haven’t already done what Mat suggested (ahem, change your passwords!), now’s a really good time to do it.
Image: CC licensed, Guillaume/Flickr
Change Your Password Day is February 1 and we hope you’ll join us in the most boring-but safest!-celebration ever.
Rachel Swaby is a freelance writer living in San Francisco. You can keep up with her on Twitter.