Your password sucks

Something my clients have always relied on me to do is “keep them safe” - safe from “the internet”, from malware infection, from “hacker attacks”, from vulnerable software & operating systems, internal security & privacy, the list goes on.  “Security Thinking” is something that’s long been an integral part of my service, but one of my biggest frustrations and challenges is that a key aspect of security is largely outside of my control.

Passwords.  We all hate them, but your password to each system is THE first line of defence against misuse, and yet this is the one that causes the most angst, confusion, or apathy amongst “normal people” (ie. non-geeks).  There’s also been a lot of myths about what constitutes a secure (strong) password, and I admit I used to perpetuate a couple of these myths!  For years geeks like me have been telling you to make your password(s) complicated (but not necessarily very long), adding numbers & punctuation/special characters, capitalising words, which makes it hard to remember.  And that other myth - frequently changing passwords!  All this “best practise” was based on theory and guessing, ‘conventional wisdom’.  That was then.

This is now.  In the last couple of years there’s been some major (negative) developments in IT security, starting with a seemingly endless parade of high profile websites & services being hacked, and their user databases - containging usernames &/or email addresses, passwords, and other personal details that can be used to perform identity theft - exposed in public.  You’ve probably got accounts with some of them:  Sony / PlayStation Network, LinkedIn, Dropbox, eHarmony, Google (eg. Gmail), Facebook, Microsoft Hotmail/Live Mail, Last.FM, Billabong, Yahoo, Zappos, Citigroup,, Valve (Steam), Walt Disney, NASA, the US Army, Lockheed Martin (yes, the US military and their top tier contractors).  This is just some of the sites that were forced to admit they’d been hacked because their user databases had been posted in public by hackers.  Many countries don’t force businesses to disclose that they’ve been hacked, and you can also count on some who aren’t even aware they’ve been hacked.

All up, about one hundred million user accounts have been exposed in the last couple of years, and its provided a massive ‘data point’ for hackers and security researchers alike.  Its revealed that, shockingly, some sites don’t even bother encrypting your password stored on their system, so when they’re hacked, your username and password is hung out in public for anyone to see.  It’s also revealed just how poorly so many people choose passwords - if your password is on, or even remotely similar to any of these 25 most common passwords, you’re screwed.  Worse still, it’s revealed many of the common “schemes” people use to choose their passwords in the first place!

From this treasure trove of password data, even from user databases that are encrypted, hackers are becoming frighteningly smart at tuning their ‘brute force’ password decrypting algorthms to first try not only all the common passwords, but also all the permutations within many ‘schemes’.  With these and other clever techniques, in excess of 50% of the tens/hundred of thousands or even millions of passwords in these leaked databases can be decrypted within days or weeks.  What happens then is up to the criminal world to decide, and how juicy a target you are.

In other words, your password(s), and the ‘scheme’ you might be using to choose it, are probably no longer good enough.  Bugga.  So in a subsequent post I’ll show you a couple of ways to choose passwords that will help keep you “safe enough”.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
« Batteriser Bollocks | Main | Should software developers be sued for security flaws? »