I don’t know my Internet banking password. I don’t know my Facebook password either, or my Web e-mail password. I couldn’t even tell you the first three letters. And no, I don’t have them written down in a book or saved on my phone.
Since two months ago, I only have two passwords to remember: the one that allows me to access the network at the Mail & Guardian offices, and the one that unlocks my password management system. I use 1Password, which has several alternatives on the market.
This system securely stores all my passwords and automatically enters them whenever I need to log into anything online. So whether I’m checking my bank balance or my Twitter account, I just hit a couple of keys, type in one completely private password and voilà, I’m in.
But the real beauty of the system is that it allows me to make extremely long and complex passwords. Most of mine are now 30 characters long and look something like this: pFutJhNcozRmDMO_LeiK2{Yvsdr3jP. And no, this isn’t one of my passwords. Or at least, I don’t think it is.
Why would I want such ludicrously long passwords? I’m not famous or important, so who would want to hack my accounts? But those questions miss the point. Hacking has evolved from something that nerds with bad breath did in their mothers’ basements to a heady mix of big business and competitive sport.
In the last three years alone, hundreds of million passwords and e-mail addresses have been stolen from major online services and then leaked online by the hackers. A single hack in October this year exposed the passwords and e-mail addresses of more than 150m Adobe customers. And that was the worst in a series of massive hacks. Sites have sprung up that allow you to check if your e-mail address was caught up in any of the largest hacks.
The Adobe passwords were encrypted, at least, meaning they needed to be unscrambled before they could be used to log in and cause mischief. Unfortunately, Adobe’s encryption method was quite weak and security experts were quickly able to decipher many of them. The most popular password, used by nearly 2m people, was “123456”. Oh dear.
The immediate solution to this leak was obvious enough: Adobe forced all its customers to reset their passwords and refused to accept anything very weak like “abcdef” or “password”. But the long-term ramifications are much more sinister and difficult to mitigate.
For instance, do you have distinctly and substantially different passwords for every online service you use? If so, you’re extremely unusual. Most people have only a handful of passwords which they share across everything from e-mail to social networks to cloud storage services. So, if you were unlucky enough to have your favourite password revealed by a massive data breach, along with your e-mail address, you would be a sitting duck for everyone from identity thieves to corporate espionage agents to spammers looking for “clean” addresses to abuse.
But perhaps the most significant danger is what these data leaks teach hackers, and their software, about the nature of the average password. Although modern hackers have many tools at their disposal, including simply phoning you and pretending to be your IT department, a significant number of hacks are still achieved using a method called a brute-force attack.
These attacks involve several computers (sometimes thousands of them) essentially guessing the correct password thousands or even millions of times a second. To do this they literally use dictionaries — guessing every word and word combination until they hit on the right one. Most security-conscious services, like banks, will quickly shut off an account after a small number of incorrect guesses, but many services still don’t have these safeguards.
What these massive data leaks do is provide a huge arsenal of more realistic “guesses” for hackers to use. They also reveal how human beings think en masse. Since brute-force hacking is essentially an exercise in high-level statistics, data sets like the Adobe hack are priceless.
This might seem quite depressing — as though we’re all doomed to have our e-mails read by perverts and our bank accounts raided by pimply teenagers. But simply using stronger passwords will make hacking harder both individually and collectively.
Security experts will tell you that what really matters in passwords is length, not complexity. We’ve been trained by well-meaning IT geeks to think strings like p@sSw0rD are more difficult to crack than a phrase like “bright donkey cheese chest”. In reality, given a moderate amount of computing power, the first password could be cracked in less than 24 hours. The second one, by comparison, would take billions upon billions of years and is arguably easier to remember.
The only thing better than a long password? A long and complex password. Given that hackers are using software to trample all over our security, the best defence is to fight fire with fire. Enter my trusty password service. It syncs (securely) across all my devices (phone, tablet and laptop) and means that I literally don’t know any of my own passwords (except the really important one).
I must admit I was nervous at first. A lifetime of remembering passwords left me feeling a bit uneasy about giving up that habit. But I’ve had to admit something that the hackers realised a long while ago: some things are best left to computers. — (c) 2013 Mail & Guardian
- Alistair Fairweather is chief technology officer at the Mail & Guardian
- Visit the Mail & Guardian Online, the smart news source