Get (Password) Smart

June 12, 2013

How many passwords do you have?

If you’re like a lot of people, you have one or two that you use for just about every website, app and service that you sign up for.

And if you are reading this — that is, if you are a digitally savvy, early adopting go-getter — you might sign up for something like one new service a day, or at least one a week. That is a lot of log-in information to keep track of, so it is easy to fall into the trap of reusing the same password over and over.

Think about that. Every aspect of your digital life (and in this age, there is no separating your digital life from the non-digital aspects) is held safe by probably just a few short strings of letters and numbers.

And these strings can be incredibly easy to crack with modern computers, as a recent Ars Technica article showed. The publication invited three password experts to crack a list of more than 16,000 passwords: the most successful person was able to crack 90 percent of the passwords on the list. Even an Ars Technica reporter with no password-cracking experience was able to crack 47 percent of the list.

Sure, you say, but what about all of those sites forcing me to add a “special character” and/or capital and lowercase letters? That must keep me secure, or they wouldn’t make me do it, right?

To quote the Ars Technica article:

The ease these three crackers had converting hashes into their underlying plaintext contrasts sharply with the assurances many websites issue when their password databases are breached. Last month, when daily coupons site LivingSocial disclosed a hack that exposed names, addresses, and password hashes for 50 million users, company executives downplayed the risk.

[…]

Officials with Reputation.com, a service that helps people and companies manage negative search results, borrowed liberally from the same script when disclosing their own password breach a few days later. “Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access,” a company email told customers.

Both companies should have said that, with the hashes exposed, users should presume their passwords are already known to the attackers. After all, cracks against consumer websites typically recover 60 to 90 percent of passcodes. Company officials also should have warned customers who used the same password on other sites to change them immediately.

Sufficiently worried yet? Then let me cite two stories you should be familiar with: the 2010 hacking of Gawker, which revealed thousands of user passwords, and last year’s meltdown of personal data experienced by Wired writer Mat Honan. If you aren’t familiar with either case, please take the time to read up now.

An analysis of the Gawker hacking even showed that the most common passwords used by Gawker’s user base were “123456” and “password.” More easy hacking for the bad guys.

And Honan’s case is especially haunting for anyone who relies heavily on the so-called cloud services that are supposed to make our lives easier.

OK, stop cowering in fear.

Would you believe there is a simple solution to all this? There is: using long, randomly generated passwords and keeping them organized with a password manager.

I use 1Password to manage my passwords. It generates, stores and syncs all my passwords across all my devices and keeps them safe behind one master password. A good free alternative is KeePass.

Granted, if your master password is cracked, all your data is revealed, so picking a master passphrase is important. But short of having a photographic memory and keeping track of hundreds of unique passwords yourself, it is the best way to go.