Do your passwords pass the hack test?

Published: August 23, 2011 by bkrenek

The steady drumbeat of recent data breaches has called significant attention to the security vulnerabilities of even the world’s biggest corporate brands and defense organizations.  These incidents have spotlighted the need for improved breach prevention measures, from basic tools like encryption to loftier cyber goals such as identity ecosystems, which would utilize new technologies, policies and standards to help protect and authenticate consumer transactions.

But sometimes lost amidst the heady discussion is the importance of the simple yet essential first line of security defense: passwords.  Too many people are complacent about this critical cyber-safety key, creating passwords that are weak and predictable, and then using those same or similar passwords for all of their online accounts.  Flimsy passwords are like an open invitation for hackers – no different than keeping the back door to your home wide open, especially in a time when the technology to crack passwords is becoming ever cheaper and more powerful.

The President himself was cyber-attacked when a hacker uncovered his Twitter account password as Bo, the name of his dog.  And since one study revealed that 75 percent of people use identical passwords for their social media and email accounts, it isn’t a stretch to cause major damage once a hacker gains a foothold into your online identity.  This is especially true when it comes to your email password; hackers can select the “I forgot my password” button to have new passwords sent to your email address and then steal from all of your accounts.

Even companies that require their employees and customers to adhere to strict password requirements can’t protect themselves and their consumers when individuals fall back on predictable password patterns.  Indeed, most people just re-use their standard passwords and, when necessary, modify them slightly with capital first letters and a number or special character at the end.

“Qwerty,” “12345,” and “password” are among the top 20 most common (and therefore worst) passwords, but the truth is that any word that can be found in the dictionary is a bad one for password use.  That’s because hackers specialize in sending out “bots” to harvest emails and possible password entry into the most common websites, and actual words and logical patterns are the lowest hanging password fruit.  Names, places, book, movie and song titles; dates in any format; words disguised with letter substitutions; keyboard sequences; and any real word at all – all of these are password don’ts.

At the most recent annual ShmooCon hacker conference, expert panelists weighed in on some key password pointers:

  • It’s best to create passwords unusual enough that you have to write down subtle cues to remember them, then keep the paper in your wallet.  You’re less likely to lose your wallet than get hacked.
  • Don’t re-use your passwords, or pretend you’re not re-using them by making small modifications.
  • Use longer passwords – they’re more difficult to hack.
  • People are lazy; getting employees to choose strong passwords might require regular password audits and institutional pressure.

Other tips:

  • Third-party password programs can help you securely store passwords, although beware that even these companies aren’t immune to security threats.
  • Only access secure “https” sites when using public WiFi connections.
  • After using a public computer, log out of your program, clean the cookies and cache, change your password and monitor your accounts closely.
  • Create your own security backup question, if possible “What is my back-up password?”  If you can’t create your own question, then lie about the standard question – for example, make up a string of random letters to the question, “What is your mother’s maiden name?”
  • One password idea: create a sentence, then take the first letter from each word to assemble a unique and hacker-unfriendly password.