The state of password technology is awful. As the brilliant “XKCD” comic (below) once said, “through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”. It’s not uncommon for online services to request: “your password should be 8 to 12 characters, and should include one punctuation symbol and a number” or something along those lines. That’s fine if the object is to stop people using the password “password” or “123456” (and they do), but seriously, how much easier could you make it for some hackers writing a computer program to “crack” a password? There’s a large part of the format specified quite explicitly; now all they have to do is throw millions of random guesses at it.
(Click to read full comic strip)
We all really need to move beyond this, most notably with email, which is a staggering security weakness. I know many people who think their email account is a low priority, as there’s little incriminating or embarrassing in their inbox, and even if there had been, they’d have deleted it long ago. Wrong. Give someone access to your email inbox, and you give them access to almost anything. They just go to one of your web services (such as your bank), click “I forgot my password”, and a link to create a new one gets sent to you by email. Then they just create a new one and sign in. (OK, I appreciate many services are more sophisticated than this, but even so, the extra security probably only involves finding out your date of birth or the town you were born, hardly requiring Holmes and Watson).
A sensible password strategy involves two rules:
[1] Passwords should be long – perhaps a minimum of 20 characters, if allowed;
[2] Passwords should be different – never re-use the same password on different services, because if one gets compromised, the others do.
This presents two difficulties. If your password is long, the “problem” can be remembering it, or being able to see that you’ve typed it in correctly. The answer is to forget all that use of punctuation marks and numbers, but to use random, unguessable words. It’s not hard to remember “correct horse battery staple“, but that’s actually more secure from hackers than “Tr0ub4dor&3” (see cartoon above).
The second problem is the impracticability of remembering a different password for every online service, but it’s really important to do so. It’s not just the possibility of someone guessing your password which you need to worry about, but the possibility of passwords being stolen from the site where they’re used. This shouldn’t happen …but it does. The answer here is to use a password manager, of which there are many. This keeps all of your passwords in a secure online vault, and allows you to fill in password fields automatically, after entering a single master password. It really does make navigating the web more secure (in the opinion of most professionals) and much, much faster (almost unquestionably). Using a password manager, you only need one or two clicks to sign into a site, and one or two clicks to fill in forms (such as credit card information). I don’t know how I lived without mine, to be honest.
I’ve seen this cartoon before and when it came up again recently it struck me that the correcthorsebatterystaple model is all very well until you come up against a site that insists on a number, in which case you have to remember whether it was h0rse or c0rrect that you spelled with a zero.
If the moral of the story is back-ups and security, take a careful look at this lesson.