The Great Password Crisis of 2014
How good are the passwords you use?
Do you use the same password for everything?
Can you remember your password(s)?
Xato.net did a study and claims that 40% of all passwords are one of just 100 commonly used passwords. That means that password-hacking software could check 100 passwords and get access to 40% of accounts. Ofcom, in another study, found that 55% in the UK use the same password for all their accounts. So, in over half the cases, If a hacker can crack one password, then all the accounts become accessible. Another statistic (reported by NBC) states that 70% of us forget a password each month.
Online security wants us to have a separate password for each account, each one using at least 8 upper and lower case letters, numbers, and special symbols. Some want us to change our password periodically – but not to use one that’s too similar to past passwords. Security experts will tell you to never, ever write down your password. They will tell you not to use words, because they’re subject to a dictionary hack, but to use phrases instead. But hackers are getting smarter and searching for common phrases as well. You’d best dispose of “mydoghasfleas”.
Hackers want you to use “password”, “password1”, “12345678”, your name, your daughter’s name, your dog’s name, your birthday, “abc123”, and “letmein”. They want you to use your Facebook password for your online banking. Tech people want you to use password managers so that one password can unleash all the rest. They want to increase use of biometric devices like fingerprint readers and retinal scanners. These technologies also have their drawbacks. Companies like Yahoo want us to remember our passwords so that we don’t need to keep calling with “forgot my password” calls.
The trick is to use a password that’s hard to guess, but easy to remember. Here are some suggestions:
- Write down any passwords that you don’t expect to use often.
- Keep them together, ideally on one sheet of paper.
- Keep it nearby, but not in plain sight. Don’t forget where you put it!
- Don’t keep it in your wallet.
- Write just the password, not the username or account (e.g. SunTrust).
- Make it obvious which password goes with which account. (e.g. “trust*fooey$0905”)
- For passwords that age out, have a system to generate multiple passwords.
- Don’t use “3Fooey1”, “3Fooey2”, “3Fooey3”.
- You’re better off with something like “3Fooey-apple”, “3Fooey-banana”, “3Fooey-cherry”.
- Have a system for generating unique passwords for different accounts.
- For example, “$$$-fooey-0905” for SunTrust, “facetime-fooey-0905” for Facebook.
Note that just adding four digits (that only you would know) means that an exhaustive search would need to take 10,000 times as long. If “fooey” takes five minutes to crack, then “fooey5309” would take almost 35 days to crack – assuming that we knew to search for a word, followed by exactly four digits. Add another two digits to make it 9.5 years.
You don’t need to be very creative to get a strong, unique, and memorable password. You should spend the time to be just a little creative. The alternative is worth avoiding.