Just this week, a well-meaning financial planner sent an email blast to advise his clients to change the passwords to all their web accounts, including the investment accounts that he managed. So far, so good… He suggested that his clients use a different password at each website (good.) Unfortunately, he suggested that they use a simple formula (horrible.) He wrote:
“I take the site name for example "gmail", capitalize the first letter, and then add "my own" 3 or 4 digit code, for example "1234" (but do not use this sequence as it is easy to break) . . . so applying the formula, the password would be "Gmail1234". Similarly, if I were to be using PenPal, it would be "Penpal1234" or "Pen1234.”The problem with this approach, is this: If I’m a hacker and I manage to get hold of one of his usernames and passwords, for instance the aforementioned “Google1234,” I would immediately try the same username with “Amazon1234,” “Chase1234,” “Citi1234,” “UBS1234,” “Paypal1234,” etc., at those sites. How am I doing so far?
For a fascinating (and depressing) explanation of why this method of password management is only a tad better than just going with “qwerty” at all of them, read Why passwords have never been weaker—and crackers have never been stronger at ars technica. It’s long and complicated. (And it's a couple of years old, meaning the situation is worse now.)
If you don’t care to dive in, then let me summarize: the guys who are cracking passwords are smarter than you are. They are using supercomputers, and can cycle through 6.2 billion combinations of letters, numbers and characters every second. They are working off of a dictionary of more than 60 million words. Every time a web site is hacked and a list of passwords is obtained, the hacking world gains even more knowledge of the passwords we use and how we use them.
This is what it’s come down to: Given enough time, your password will be hacked. All you can do is make it take long enough that you have reasonable time to keep changing your password before it is hacked.
Every one of your passwords needs to be randomly generated by a computer, and have a minimum of nine characters to make brute-force cracks infeasible. You need to change them all every three or four months.
Now is also the time to enable two-factor authentication at every website that offers it. With two-factor identification, even if someone succeeds in hacking your password, they won't be able to log in to your account from a device that you haven’t already approved. The log in won’t be allowed until after you receive a text message on your cellphone with a code, which must then be entered in addition to the password. An excellent list of sites offering two-factor authentication is found here. And remember, as good as two-factor identification is on the sites that have it, it does nothing to prevent that hacked password from being used at another site that doesn't have two-factor protection. Which is why, class repeat after me, "we use a different complex random password at every single site."
No comments:
Post a Comment