Weak Passwords

passwordcrack

Previously:
Passwords: computer login
Passwords: e-mail
Passwords: Google Accounts & Windows Live ID
Passwords: password managers
Passwords: online passwords and LastPass

Let’s go over a few facts of life.

No one is enjoying the need to have a lot of passwords. It’s hard to remember the passwords, of course, but in our complicated world it has become even harder now to understand when passwords are required or what they’re for.

I feel your pain but I can’t change the world. At the moment your passwords are your defense against identity theft, financial loss, compromised computers, and breaches of confidentiality and privilege. If you use a weak password, or if you use the same password over and over every time something calls for one, you are jeopardizing yourself and your business. Sorry. That’s the way it is.

Here’s an article by an expert speculating about how he’d hack your password if he was so inclined. I’ll quote from it but it bears reading in full.

Here is my top 10 list. I can obtain most of this information much easier than you think, and then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. "password"
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. "god"
  8. "letmein"
  9. "money"
  10. "love"

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

He goes on to describe what it means to use brute force attacks to crack a password, where special software tries repeatedly to log in to a site that is not hardened to resist such an attack. There’s a chart that shows how long it would take to crack passwords based on how long and how complex they are. Most of you have passwords that are all lower case, right?

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

He adds one important extra point – all the time estimates are based on cracking passwords that are not dictionary words. If your password is a name or a word in the dictionary, it will fail under a simple brute force attack. It’s that simple.

There is a nice list of suggestions to make a more complex password – substituting numbers for similar-looking letters (0 for O, 3 for E), or adding capital letters, for example. Your computer and many web sites now allow spaces in passwords which opens up one of the most safe alternatives: use a phrase as a password. If your password is, “Use the Force, Luke!”, it will not be broken by a brute force attack.

The most important advice, though, is also the hardest to obey, which is to use a different password for each password-protected place in your life. That’s not easy but I want to remind you about LastPass, which can help make it easier to accomplish.

LastPass is a free program that memorizes each password typed into a web site and automatically fills it in when you return to the same site. Once it’s up and running, the master password for LastPass is the only password you have to remember.

lastpasslogo

Go back and read my article about LastPass. Then go create a free account and install it; and just as important, spend time learning how to use it. Watch the videos. Read the manual. This deserves your time. It is an essential utility.

Let me give the last word to the author of the article about password cracking:

I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because "I don’t get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.