Darren Guccione argues that when it comes to online passwords, it’s best to keep things complicated
Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17% of people are safeguarding their accounts with ‘123456’. What really perplexed us is that so many website operators are not enforcing password security best practices.
Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:
· The list of most-frequently used passwords has changed little over the past few years. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
· Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that, as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
· The presence of passwords like ‘1q2w3e4r’ and ‘123qwe’ indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
· Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as ‘18atcskd2w’ and ‘3rjs1la7qe’ on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favour by flagging this kind of repetition and reporting the guilty parties.
We can criticise all we want about the chronic failure of users to employ strong passwords, but the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.
Most Common Password Mistakes to Avoid
A friend recently told me a scary story about why he changed the password on his account with one of the leading online securities trading firms. He was perusing his six-figure portfolio when it occurred to him that he hadn’t changed his password a while. Quite a while, it turned out; about nine years.
He was further dismayed to realise that the password he had been using all that time –the name of a beloved pet followed by a single number – could probably be guessed by anyone who followed him on social media. For a sophisticated password cracking program, guessing it would be a layup.
Surprisingly, many online services don’t regularly challenge customers to change their passwords, despite the fact that password-cracking technology has advanced by leaps and bounds. Bad guys now follow their victims on social networks to mine keywords that they feed into malicious programs that use machine intelligence to test variations until the door is unlocked. A small fortune may be protected by the cyber security equivalent of tin foil.
No one likes passwords, but they are more important than ever these days. And the ones that worked for you five years ago are probably useless today. If your money, health records or any other personally identifiable information (PII) is at stake, you owe it to yourself to use a secure, random code that a machine can’t guess. As you go about resetting your passwords, avoid these eight common mistakes.
1. Using the same password everywhere
The easiest way to remember a password is to use only one, but that’s also the fastest route to disaster. Once a successful phishing attack captures that password – and studies have found that as many as 97% of people can’t detect a phishing email – the attacker essentially has the keys to the kingdom. While it’s probably OK to use the same password for sites that don’t store any PII, you should use different and secure passwords in any situation where your identity or financial information could be compromised.
2. Varying passwords with a single character
This is a trap many people fall into when asked to change their passwords; they comply by changing a 12 to a 13. Password-guessing programs are wise to this trick and can sniff it out in seconds.
A variation of this dangerous practice is to include a non-alphanumeric character by tacking ‘!’ onto the end of your existing password. That’s the oldest dodge in the book, and password crackers are wise to it. Non-alphanumeric characters should be used within the password, not at either end.
3. Using personal information in passwords
Avoid using names of relatives, celebrities, sports teams, pet or any other common terms in your passwords. Cracking software automatically looks for the most common combinations like Yoda123. Don’t think that you can protect yourself by invoking personal information like the name of a loved one or your high school mascot. Social networks make it straightforward for crooks to harvest that information.
You also shouldn’t assume that adding a string of characters to a common name is protection enough. Password crackers know this trick and cycle through combinations of common names and numbers until they hit the right one. The only safe password is one with random – or seemingly random – sets of characters.
4. Sharing passwords with others
You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by ‘qwerty’, it won’t make a bit of difference. Your passwords are for your eyes only.
5. Using passwords that are too short
A decade ago, a five- or six-character password was enough to beat most cracking programs, but computers are so much faster now that a six-character password can be guessed by a brute-force attack. Think 12 characters at a minimum.
6. Storing passwords in plain text
One easy way to remember passwords is to store them in a spreadsheet or mail them to yourself. Bad idea. Have you heard of ransomware? It’s the fastest-growing category of malware. Criminals hold your data hostage until you pay them a ransom. In the meantime, they scour your hard drive looking for anything that resembles a password list. Once they find it, the ransom payment is the least of your problems.
7. Using recognisable keystroke patterns
‘1qaz2wsx’ may seem like a pretty tough password to guess until you look at your keyboard and notice the pattern. A random series of letters and numbers must be truly random to have a chance.
8. Substituting numbers for letters
This used to be an effective technique, but ‘Spr1ngst33n’ doesn’t survive a determined attack any more. The software is onto that trick.
Your best bet is to use a password manager protected by strong encryption. The best ones generate secure passwords for you and give you total protection with two-factor authentication.