What you don’t know about passwords might hurt you

  • Joe Kissell (Macworld.com)
  • — 27 November, 2012 15:19

I dont mean to alarm you, butwell, actually I do. Your password strategy, if you have one at all, might be seriously out of date. In recent months, several well-publicized attacks on major online services exposed users passwords. For example, in June 2012, more than six million LinkedIn passwords were stolen and posted online. Just over a month later, over 450,000 Yahoo passwords were leaked. Apart from the direct damage that can come from having ones password made public, these security breaches revealed that vast numbers of people follow dangerous password practices that can result in far worse problems.

If you havent examined your approach to making and using passwords recently, now is a good time to rethink your assumptions. Here are a few important facts about passwords you may not have realizedand what they mean for you.

Password reuse is a major danger

You know how it isevery time you turn around, another website or online service wants you to create a new password. Because thats so tedious to do, many people rely on shortcuts. But these shortcuts can get you in trouble. As a case in point, consider the common practice of using the same password for multiple sites.

Suppose you signed up for a LinkedIn account, and you used the same password you previously chose for your Gmail account. Then, in June, you were one of the unlucky people whose LinkedIn password was leaked. An enterprising hacker who knew your LinkedIn password could have easily tried it with other popular services, so getting access to your Gmail account would suddenly be trivial. Thats a problem not just because someone could read or delete your email, but because you might use your Gmail address to access or reset other passwords. If the hacker clicked the forgot password link on another site, he could then check your email to get access to accounts that use other passwords. Even reusing a single password in two places could, in this way, cause cascading problems.

The best antidote to a password reuse habit is a password manager, such as 1Password (, $40) or LastPass (, free; premium service, $12 per year). These tools can generate passwords for you, store them securely, and fill them in on websites with a click or keystroke. That makes it painless to maintain different passwords for each site or service.

Hackers know your little password tricks

Faced with the need to come up with a new password, the next-biggest crutch after reusing passwords is to pick something thats extremely easy to remember and type. As the lists of stolen passwords and other security research show, an awful lot of people still use 123456, password, baseball, and other simple strings. That means these and the next several thousand most common passwords will be the first things a hacker tries when attempting to break into an account. Common dictionary words, names, and dates are also easy to check, and should therefore be avoided.

Appending a number to a common word (password1 or baseball9) is a frequently used method to comply with must contain a digit rules. And so is substituting numbers or symbols for lettersyou know, things like p@ssw0rd or b4s3b411and using patterns of keys on the keyboard such as edcrfvtgb. Problem is, hackers are well aware of such techniques. As soon as someone invents a new method for creating better passwords (such as padding a shorter password with repeated punctuation), the bad guys adapt their methods accordingly, erasing whatever advantage the new method may have offered. So, dont count on cleverness to protect your password. It might take a few milliseconds longer to guess 1d0ntkn0w than Idontknow but remember, youre up against machines that can make any imaginable substitution in the blink of an eye.

You want to make your passwords unguessable, even by someone smarter than you! The best way to do this is to make them random strings of characters, including uppercase and lowercase letters, numbers, and punctuation. However, its very hard for a human to create a truly random password, but its easy for a computer to do. So, once again, relying on a password manager instead of your brain is the way to go.

14 is the new 8

Suppose an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step is to use brute force to try every possible password one at a time. Unfortunately, its becoming easier and easier to find a match using this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that amount. Many systems have safeguards in place that limit how frequently passwords can be guessed, or shut down after a certain number of incorrect attempts. But if an attacker gets direct access to the password-protected data and no longer has to go through the front door, as it were, those safeguards become moot.

As a result, the advice youve read in the past about what counts as a secure password may no longer be valid. For example, in order to protect against a brute-force attack, a password with eight or nine random characters is no longer sufficient. Experts now routinely recommend longer passwords, often in the 12-to-14 character range. And thats for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength.

All password managers let you select the password length you want, and my advice is that for any password that can be entered for you by an app (or copied and pasted), you might as well use the longest password the target service will accept. After all, the same keystroke that fills in a nine-character password can fill in one with 14 characters.

Of course, there are certain passwords that you must commit to memory, or that for one reason or another must be entered manually. For such passwords, you can use a longer but less-complex password to achieve comparable levels of securitya principle I discuss later this week in How to remember passwords.

Tags: business issues, email, Yahoo, passwords, security, LinkedIn, business

The risks of sticking with Windows XP

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot Web Security

Proactive web security that blocks threats in the cloud before they reach users’ machines, or enter customers’ networks.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.