Hartley Brody

Password Security for the Average User

password secuirtyYesterday, news broke that millions of encrypted LinkedIn passwords were leaked and posted on Russian website. And today, eHarmoney confirmed a password leak, and the popular music service last.fm just announced they’re investigating a similar leak.

Now is probably a good time to update the passwords on all of your accounts.

A lot has been written about how developers can secure their applications to keep their users’ information safe.

But what about the users themselves?

We all use dozens of password-protected services from Twitter and Facebook to corporate email and online banking. What can we do to help ensure no one else accesses our accounts?

It’s important to start by saying that there’s a fundamental trade-off between security and usability. That is, you could come up with a very secure system of randomly generated passwords that are changed daily and stored in a vault in the middle of a pool with sharks with lazers on their heads circling at all times, but that’s not going to be helpful if it’s too difficult for you to use regularly.

It’s important that you’re totally comfortable using whatever system you set up for yourself, otherwise you’ll stop using it and will lose all security benefits.

Use Passphrases, Not Passwords

For some reason, people have been taught that the best passwords are short but complicated. Things like “g5z#6cl1(71&” that no human would ever remember. The idea is that, by making the passwords ‘random’, they’ll be harder to crack and thus, safer.

And while they may be somewhat secure, we want to design a system that’s also easy for us to use. If you can’t remember your password, you’ll end up writing it down somewhere near your computer where it’s easy for anyone to access. That’s definitely not secure.

Fortunately, there’s an easy solution. Use long passwords that are multi-word phrases, also known as passphrases. For every character you add to your passphrase, you make it exponentially harder to crack, so longer passphrases are almost always safer. Some numbers from codinghorror on the time it takes to crack passphrases:

all 6 character passwords 3 seconds
all 7 character passwords 4 minutes
all 8 character passwords 4 hours
all 9 character passwords 10 days
all 10 character passwords ~625 days
all 11 character passwords fuggedaboudit

Clearly longer passphrases are more secure. Plus, by using phrases, you’ll end up with something that is much easier to remember.

There’s a great XKCD comic that explains the math behind it well, and Jeff Atwood walks through some of the more technical aspects here:

Passphrases are clearly more usable than traditional “secure” passwords. They are also highly likely to be more secure. Even naive worst-case passphrases like “this is my password” aren’t all that hackable, at least when compared to their single word equivalents, eg, “password”.

I usually use lines from a song, since they’re easy to remember and the word order is unambiguous. You can make them even more random by switching in numbers and symbols (1 for “i” or @ for “a”) to make them even more difficult to crack.

Use Different Passphrases for Different Sites

You might not worry when you hear that your email and password at a service like last.fm was leaked cause it’s not like you have important information in the account anyways. Maybe the hacker will know what sort of music you like and that’s it, right?

Maybe, but what usually happens in these situations is that the hacker takes all those credentials and tries using them to log into Gmail and Facebook and Twitter and possibly even some major banks. Because so many people reuse their passwords across many different sites, this can be surprisingly successful.

There was an infamous case a few years ago:

In late 2010, the popular website Gawker and several other websites owned by the Gawker Media group were breached by hackers who stole the usernames and passwords of more than 1.5 million people. The hackers published the stolen login credentials, revealing that thousands of people simply used “password” as their password. Knowing that many people use the same password on multiple websites, spammers used the stolen Gawker login credentials to access hundreds of thousands of accounts on other websites including Twitter and LinkedIn, for the purpose of spreading spam and malicious links.

By using one passphrase across all your accounts, if any one of those accounts gets compromised, there’s a good chance that some of the other ones might as well.

I know what you’re thinking though – you have so many accounts, how can you possibly come up with and remember passphrases for each of them?

For basic services where there is no financial information stored, and there’s no chance of someone masquerading as you, then using a throwaway password across multiple account is probably fine. But for accounts like

  1. sites that save credit cards, like amazon & retailers
  2. online banking or financial institutions
  3. email, correspondence or social media accounts

you absolutely need to create unique passphrases for each account.

It’s obvious why you’d want to take extra precaution when financial information is involved, but people often underestimate the importance of securing social media accounts and email.

Hackers love to compromise accounts through which they can then compromise other accounts.

Have you ever gotten a facebook chat message from someone you never talked to in high school saying “lol, check out this funny picture of you…” or maybe an email from an older relative telling you that they were just robbed while travelling abroad and need you to wire $2000 into the following account so that they can get home?

Those are common examples of an attack that spreads and can easily compromise thousands of accounts very quickly. The reason it works so well is because of something known as social engineering. Rather than trying to crack your password, the social engineering attacks rely on the fact that you generally trust things that appear to come from your friends & family online.

This means that any account where your friends will trust messages that appear to come from you is a prime target for these kinds of attacks, and deserves its own secure passphrase.

Email accounts are especially important to secure since they’re a skeleton key for almost all of you other online accounts. If I were to gain access to your email account, I could easily go to your bank, click “forgot password” and have them email a new password to your email address, which I can then intercept and use to login to you bank.

Almost every online service has a similar password reset functionality that relies on your email account being secure. If a hacker gains access to your inbox, they can gain access to virtually any of your other online accounts.

Two Factor Authentication

I mentioned this previously when discussing ways to keep your facebook account secure, but using two factor authentication is the safest thing you can do to protect your accounts:

According to proponents, [two factor authentication] could drastically reduce the incidence of online identity theft, and other online fraud, because the victim’s password would no longer be enough to give a thief permanent access to their information.

Even if a hacker were to discover your password, the wouldn’t be able to login to your account from their machine without also having access to your cell phone or other device.

Unfortunately, Facebook and Google are the only major consumer sites that offer this level of protection, but you should absolutely activate it for those accounts. Instructions for Facebook and Google.

Much like physical keys, passwords are designed to keep most people out, while allowing trusted users in.

They’re something we use every day and are all that stands between our private information and the hordes of hackers and spammers scouring the internet. It’s important to have a good system that balances security with your personal level of convenience.

Fortunately, it doesn’t take a PhD in cryptography to come up with a good system.

If you want to learn more about how hackers operate and how to protect yourself from attacks, check out this great article by mailchimp.