Columnists

Forget your online passwords

Alistair Fairweather

Alistair Fairweather doesn't need to remember any of his online passwords anymore, which means he can make them longer and more secure. Here's how.

Password management systems have become more popular as hackers have become smarter. (Reuters)

I don't know my internet banking password. I don't know my Facebook password either, or my webmail password. I couldn't even tell you the first three letters. And no, I don't have them written down in a book or saved on my phone.

Since two months ago, I only have two passwords to remember: the one that allows me to access the network at the Mail & Guardian offices, and the one that unlocks my password management system. I use 1Password, which has several alternatives on the market.

This system securely stores all my passwords and automatically enters them whenever I need to log into anything online. So whether I'm checking my bank balance or my Twitter account, I just hit a couple of keys, type in one completely private password and voilà, I'm in.

But the real beauty of the system is that it allows me to make extremely long and complex passwords. Most of mine are now 30 characters long and look something like this: pFutJhNcozRmDMO_LeiK2{Yvsdr3jP. And no, this isn't one of my passwords. Or at least, I don't think it is.

Why would I want such ludicrously long passwords? I'm not famous or important, so who would want to hack my accounts? But those questions miss the point. Hacking has evolved from something that nerds with bad breath did in their mothers' basements to a heady mix of big business and competitive sport.

In the last three years alone, hundreds of million passwords and email addresses have been stolen from major online services and then leaked online by the hackers. A single hack in October this year exposed the passwords and email addresses of over 150-million Adobe customers. And that was the worst in a series of massive hacks. Sites have sprung up that allow you to check if your email address was caught up in any of the largest hacks.

The Adobe passwords were encrypted, at least, meaning they needed to be unscrambled before they could be used to log in and cause mischief. Unfortunately Adobe's encryption method was quite weak and security experts were quickly able to decipher many of them. The most popular password, used by nearly two-million people, was "123456". Oh dear.

The immediate solution to this leak was obvious enough: Adobe forced all its customers to reset their passwords and refused to accept anything very weak like "abcdef" or "password". But the long-term ramifications are much more sinister and difficult to mitigate.

For instance, do you have distinctly and substantially different passwords for every online service you use? If so, you're extremely unusual. Most people have only a handful of passwords which they share across everything from email to social networks to cloud storage services. So if you were unlucky enough to have your favourite password revealed by a massive data breach, along with your email address, you would be a sitting duck for everyone from identity thieves to corporate espionage agents to spammers looking for "clean" addresses to abuse.

But perhaps the most significant danger is what these data leaks teach hackers, and their software, about the nature of the average password. Although modern hackers have many tools at their disposal, including simply phoning you and pretending to be your IT department, a significant number of hacks are still achieved using a method called a brute force attack.

These attacks involve several computers (sometimes thousands of them) essentially guessing the correct password thousands or even millions of times a second. To do this they literally use dictionaries – guessing every word and word combination until they hit on the right one. Most security conscious services, like banks, will quickly shut off an account after a small number of incorrect guesses, but many services still don't have these safeguards.

What these massive data leaks do is provide a huge arsenal of more realistic "guesses" for hackers to use. They also reveal how human beings think en masse. Since brute force hacking is essentially an exercise in high level statistics, data sets like the Adobe hack are priceless.

This might seem quite depressing – as though we're all doomed to have our emails read by perverts and our bank accounts raided by pimply teenagers. But simply using stronger passwords will make hacking harder both individually and collectively.

Security experts will tell you that what really matters in passwords is length, not complexity. We've been trained by well meaning IT geeks to think strings like p@sSw0rD are more difficult to crack than a phrase like "bright donkey cheese chest". In reality, given a moderate amount of computing power, the first password could be cracked in less than 24 hours. The second one, by comparison, would take billions upon billions of years and is arguably easier to remember.

The only thing better than a long password? A long and complex password. Given that hackers are using software to trample all over our security, the best defence is to fight fire with fire. Enter my trusty password service. It syncs (securely) across all my devices (phone, tablet and laptop) and means that I literally don't know any of my own passwords (except the really important one).

I must admit I was nervous a first. A lifetime of remembering passwords left me feeling a bit uneasy about giving up that habit. But I've had to accept something that the hackers realised a long while ago: some things are best left to computers.


Topics In This Section

Comments

blog comments powered by Disqus