What you don’t know about passwords might hurt you
By Joe Kissell, Macworld
I don’t mean to alarm you, but—well, actually I do. Your password strategy, if you have one at all, might be seriously out of date. In recent months, several well-publicized attacks on major online services exposed users’ passwords. For example, in June 2012, more than six million LinkedIn passwords were stolen and posted online. Just over a month later, over 450,000 Yahoo passwords were leaked. Apart from the direct damage that can come from having one’s password made public, these security breaches revealed that vast numbers of people follow dangerous password practices that can result in far worse problems.
If you haven’t examined your approach to making and using passwords recently, now is a good time to rethink your assumptions. Here are a few important facts about passwords you may not have realized—and what they mean for you.
Password reuse is a major danger
You know how it is—every time you turn around, another website or online service wants you to create a new password. Because that’s so tedious to do, many people rely on shortcuts. But these shortcuts can get you in trouble. As a case in point, consider the common practice of using the same password for multiple sites.
Suppose you signed up for a LinkedIn account, and you used the same password you previously chose for your Gmail account. Then, in June, you were one of the unlucky people whose LinkedIn password was leaked. An enterprising hacker who knew your LinkedIn password could have easily tried it with other popular services, so getting access to your Gmail account would suddenly be trivial. That’s a problem not just because someone could read or delete your email, but because you might use your Gmail address to access or reset other passwords. If the hacker clicked the “forgot password” link on another site, he could then check your email to get access to accounts that use other passwords. Even reusing a single password in two places could, in this way, cause cascading problems.
The best antidote to a password reuse habit is a password manager, such as 1Password (, $40) or LastPass (, free; premium service, $12 per year). These tools can generate passwords for you, store them securely, and fill them in on websites with a click or keystroke. That makes it painless to maintain different passwords for each site or service.
Hackers know your little password tricks
Faced with the need to come up with a new password, the next-biggest crutch after reusing passwords is to pick something that’s extremely easy to remember and type. As the lists of stolen passwords and other security research show, an awful lot of people still use “123456,” “password,” “baseball,” and other simple strings. That means these and the next several thousand most common passwords will be the first things a hacker tries when attempting to break into an account. Common dictionary words, names, and dates are also easy to check, and should therefore be avoided.
Appending a number to a common word (“password1” or “baseball9”) is a frequently used method to comply with “must contain a digit” rules. And so is substituting numbers or symbols for letters—you know, things like “p@ssw0rd” or “b4s3b411”—and using patterns of keys on the keyboard such as “edcrfvtgb.” Problem is, hackers are well aware of such techniques. As soon as someone invents a new method for creating better passwords (such as padding a shorter password with repeated punctuation), the bad guys adapt their methods accordingly, erasing whatever advantage the new method may have offered. So, don’t count on cleverness to protect your password. It might take a few milliseconds longer to guess “1d0ntkn0w” than “Idontknow” but remember, you’re up against machines that can make any imaginable substitution in the blink of an eye.
You want to make your passwords unguessable, even by someone smarter than you! The best way to do this is to make them random strings of characters, including uppercase and lowercase letters, numbers, and punctuation. However, it’s very hard for a human to create a truly random password, but it’s easy for a computer to do. So, once again, relying on a password manager instead of your brain is the way to go.
14 is the new 8
Suppose an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step is to use brute force to try every possible password one at a time. Unfortunately, it’s becoming easier and easier to find a match using this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that amount. Many systems have safeguards in place that limit how frequently passwords can be guessed, or shut down after a certain number of incorrect attempts. But if an attacker gets direct access to the password-protected data and no longer has to go through the “front door,” as it were, those safeguards become moot.
As a result, the advice you’ve read in the past about what counts as a secure password may no longer be valid. For example, in order to protect against a brute-force attack, a password with eight or nine random characters is no longer sufficient. Experts now routinely recommend longer passwords, often in the 12-to-14 character range. And that’s for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength.
All password managers let you select the password length you want, and my advice is that for any password that can be entered for you by an app (or copied and pasted), you might as well use the longest password the target service will accept. After all, the same keystroke that fills in a nine-character password can fill in one with 14 characters.
Of course, there are certain passwords that you must commit to memory, or that for one reason or another must be entered manually. For such passwords, you can use a longer but less-complex password to achieve comparable levels of security—a principle I discuss later this week in “How to remember passwords.”