Your Password Is Too Weak!
No, seriously, it is.
If it makes you feel any better, most people’s passwords are too weak.
I suppose you think it doesn’t matter how “strong” your Gmail (or Hotmail or whatever free email you use) password is, right? Well, you’d be wrong. I recently read an account about how one person’s Gmail account was hacked and used to spam and try to get her friends to send the hacker money, all posed as her. Of course, that was after deleting more than 4 Gigabytes of stored messages and photos. You can read that account, as told by her husband, over at the Atlantic, in an article titled “Hacked!” It’s worth reading, especially if you’re not in the IT business. And, frankly, even for a fellow professional computer geek, it might be eye-opening to see how hacked email accounts are being used these days. I have to admit, I was a little surprised that the attacker in question actually used the account personally to try and con money out of the victim’s friends and family.
I was not, however, all that shocked to see how many accounts are compromised on a regular basis. Think the thousands. Daily.
Right, so thousands of email accounts on which people depend are hijacked, used and abused on a daily basis. If it hasn’t happened to you, it’s probably only a matter of time. So, how do they do it? Shared, easily guessable passwords.
Yes, it’s that easy.
Stop for a minute and think about how many passwords you use on a regular basis. How many are the same? How many accounts do you have for things like bank accounts and credit cards and medical records that use the same password as your email? And how many of those accounts use that same email address as the username?
Getting the picture?
So, what do you do?
First, stop reusing passwords.
Second, make more secure passwords. And, don’t think that the old way of replacing “L” with the numeral one or the letter “O” with the numeral zero and that kind of thing will work, either. The hackers are on to that. It’s better to use words that are not in the dictionary. So, yes, made up words. Or, even better, phrases, which is what I’ve recommended for some time. Having a hard time coming up with one? Try using one generated randomly for you at passphra.se, a random passphrase generator which was inspired by an XKCD comic. The comic explains the reasoning behind the passphrase idea and the generator. Also, XKCD is pretty funny and if you’re geeky like me at all, it’s well worth checking out.
In today’s world, we’re way too interconnected and digital and reliant on those systems to have relaxed security. It doesn’t matter if you’re a geek or not. Please, think about your passwords and how easily they might be compromised. Then think about what that might mean to your life, digital and otherwise.
Now, if you’ll excuse me, I have to go change some passwords…
Advice from your Uncle Jim:
"In life, as in football, you don't go far unless you know where the goalposts are."
--Arnold Glasgow
While I agree (and have advocated for years) with the use of a passphrase for a password, I think that you missed a very important alternative that is worth considering: a password vault.
Having the ability to only need to remember one really good password and then randomly generate all of the rest makes not only for pretty secure accounts, but if one happens to get hacked, the rest are not compromised.
Many of these programs (I use KeePass) can be used across multiple devices and platforms, which makes keeping them in sync a snap.
Comment by AustinLinuxGuy — 10/17/2011 @ 8:51 am
While I understand what you’re saying, I still see the fact that everything is in one place, the password vault, as a weak point. There’s a single point of failure there. If your password vault password gets hacked, you’re screwed. If your password vault system or service goes down for any reason, you’re screwed.
Seriously, I know a lot of people like these kinds of password management systems, but I’m very leary of anything that has a single point of failure, no matter how good the system is.
Comment by the Network Geek — 10/17/2011 @ 8:57 am
I see your point, but for those of us that are truly paranoid, there are additional ways to protect this information, including two factor authentication.
I also think the risk is minimized by the fact that you would actually have to get to my desktop to have a chance to hack my password vault password as opposed to trying to hack my facebook or yahoo account which can be done from anywhere. Let’s face it, if you do not have a way to manage your passwords, you are reusing them across multiple accounts because there are just too many accounts for us to remember a unique password for each one. You hack one, you hack them all, so the end result is pretty much the same.
Comment by AustinLinuxGuy — 10/18/2011 @ 8:41 am
Oh, no, I do see your point, but I think you may be missing mine. If something happens to that one PC, like, say, a lightning strike or theft or, well, anything that keeps you from getting to your password vault, then you’ve lost ALL your passwords. That’s what I mean by a “single point of failure”. If that one machine fails, all your passwords are gone and you’re left trying to sort it out.
On the other hand, yes, of course, passwords get recycled. But, you can spread risk by using multiple passwords on multiple systems with as little overlap as possible. And, of course, use better passwords by using a pass phrase instead of a single word. Mathematically speaking, it is more secure than a single word.
I’ve just seen too many “foolproof systems” fail because they had too many moving parts, so to speak, and when ONE of them failed, the whole system collapsed. But, I’m old fashioned. I know lots of people have been using those password vaults for a long time and quite successfully.
Comment by the Network Geek — 10/18/2011 @ 8:53 am
I understand what your saying, and I will concede the point for an average end user. I would say that those of our ilk, however, would have no excuse as we understand how important backups are and should never have a single point of failure.
Comment by AustinLinuxGuy — 10/19/2011 @ 7:55 am