I helped a friend recently with his wireless home network. He couldn’t get it to work with his upstairs office computer even though it was picking up the network. While there I asked for the password so I could trouble shoot it and see what the issue was. He hymned and how’d a bit and mentioned he had security concerns about giving it out but finally relented when I told him there wasn’t much I could do to help without it. Then he sounded off the names his wife and four kids along with their year of birth. The password was something like this: karen1960don1964katie1996barbara1998kevin2000don2002.
All that for a home wi-fi network with a range of about 50 yards. The nearest house was about a half-mile away. There’s no question passwords are very misunderstood and what they offer in security is probably the biggest misunderstanding of all.
Passwords are the Achilles heel of everything we do online and for the most part the security they offer is a myth. They can be hacked, reset, stolen, and you can be erased or worse.
Mat Honan is a senior writer for Wired Magazine and he wrote recently about a hacker gaining access to his online presence and the havoc that caused. If you think it can’t happen to you think again. Mat used passwords with up to “19 characters, …all alphanumeric, some with symbols thrown in as well…”
As he puts it:
You have a secret that can ruin your life.
It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.
No matter how complex, no matter how unique, your passwords can no longer protect you.
For your sake read Mat’s article in this months Wired – Kill the Password: Why a String of Characters Can’t Protect Us Anymore.
And remember these helpful tips:
- Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
- Use a dictionary word as your password. If you must, then string several together into a pass phrase.
- Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
- Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
- Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
- Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like firstname.lastname@example.org—so it can’t be easily guessed.