Some things are best left to computers

I don't need to remember any of my online passwords anymore, which means I can make them longer and more secure. Here's how. By Alistair Fairweather.

Alistair-Fairweather-180-profileI don’t know my Internet banking password. I don’t know my Facebook password either, or my Web e-mail password. I couldn’t even tell you the first three letters. And no, I don’t have them written down in a book or saved on my phone.

Since two months ago, I only have two passwords to remember: the one that allows me to access the network at the Mail & Guardian offices, and the one that unlocks my password management system. I use 1Password, which has several alternatives on the market.

This system securely stores all my passwords and automatically enters them whenever I need to log into anything online. So whether I’m checking my bank balance or my Twitter account, I just hit a couple of keys, type in one completely private password and voilà, I’m in.

But the real beauty of the system is that it allows me to make extremely long and complex passwords. Most of mine are now 30 characters long and look something like this: pFutJhNcozRmDMO_LeiK2{Yvsdr3jP. And no, this isn’t one of my passwords. Or at least, I don’t think it is.

Why would I want such ludicrously long passwords? I’m not famous or important, so who would want to hack my accounts? But those questions miss the point. Hacking has evolved from something that nerds with bad breath did in their mothers’ basements to a heady mix of big business and competitive sport.

In the last three years alone, hundreds of million passwords and e-mail addresses have been stolen from major online services and then leaked online by the hackers. A single hack in October this year exposed the passwords and e-mail addresses of more than 150m Adobe customers. And that was the worst in a series of massive hacks. Sites have sprung up that allow you to check if your e-mail address was caught up in any of the largest hacks.

The Adobe passwords were encrypted, at least, meaning they needed to be unscrambled before they could be used to log in and cause mischief. Unfortunately, Adobe’s encryption method was quite weak and security experts were quickly able to decipher many of them. The most popular password, used by nearly 2m people, was “123456″. Oh dear.

The immediate solution to this leak was obvious enough: Adobe forced all its customers to reset their passwords and refused to accept anything very weak like “abcdef” or “password”. But the long-term ramifications are much more sinister and difficult to mitigate.

For instance, do you have distinctly and substantially different passwords for every online service you use? If so, you’re extremely unusual. Most people have only a handful of passwords which they share across everything from e-mail to social networks to cloud storage services. So, if you were unlucky enough to have your favourite password revealed by a massive data breach, along with your e-mail address, you would be a sitting duck for everyone from identity thieves to corporate espionage agents to spammers looking for “clean” addresses to abuse.

But perhaps the most significant danger is what these data leaks teach hackers, and their software, about the nature of the average password. Although modern hackers have many tools at their disposal, including simply phoning you and pretending to be your IT department, a significant number of hacks are still achieved using a method called a brute-force attack.

These attacks involve several computers (sometimes thousands of them) essentially guessing the correct password thousands or even millions of times a second. To do this they literally use dictionaries — guessing every word and word combination until they hit on the right one. Most security-conscious services, like banks, will quickly shut off an account after a small number of incorrect guesses, but many services still don’t have these safeguards.

What these massive data leaks do is provide a huge arsenal of more realistic “guesses” for hackers to use. They also reveal how human beings think en masse. Since brute-force hacking is essentially an exercise in high-level statistics, data sets like the Adobe hack are priceless.

This might seem quite depressing — as though we’re all doomed to have our e-mails read by perverts and our bank accounts raided by pimply teenagers. But simply using stronger passwords will make hacking harder both individually and collectively.

hacker-640

Security experts will tell you that what really matters in passwords is length, not complexity. We’ve been trained by well-meaning IT geeks to think strings like p@sSw0rD are more difficult to crack than a phrase like “bright donkey cheese chest”. In reality, given a moderate amount of computing power, the first password could be cracked in less than 24 hours. The second one, by comparison, would take billions upon billions of years and is arguably easier to remember.

The only thing better than a long password? A long and complex password. Given that hackers are using software to trample all over our security, the best defence is to fight fire with fire. Enter my trusty password service. It syncs (securely) across all my devices (phone, tablet and laptop) and means that I literally don’t know any of my own passwords (except the really important one).

I must admit I was nervous at first. A lifetime of remembering passwords left me feeling a bit uneasy about giving up that habit. But I’ve had to admit something that the hackers realised a long while ago: some things are best left to computers.  — (c) 2013 Mail & Guardian

Related Posts Plugin for WordPress, Blogger...

Share this article

  • Ludi Nel

    Cool Article. I use lastpass with google authenticator as my second level of authentication.

  • dean

    so if “1password” was hacked, all (every single one of ) your passwords would be exposed? or am i missing something?

  • http://1.1.1.1/ Dog Star

    +1 same here. And my phone is under lock and key

  • http://www.crypt.co.za/ Twylite

    Unfortunately there are still many sites out there that restrict the maximum length of a password, or expire passwords annually in the name of “security” and then e-mail you a replacement password, or prohibit characters like + or /. Too many “IT security experts” have only just caught up with what the crypto experts consider good practice in the 90s, and are treating that as gospel, ignoring 15 years of advancement in password protection practice.

  • http://www.crypt.co.za/ Twylite

    Yes, if someone performs a targeted attack on you and steals your password database off your PC or mobile device, and also logs your password for that database (most of these apps have some level of protection against software password loggers), then they have all of your passwords. But this type of attack can gather all your passwords even if they are not in one database.

    Given that most password attacks are against the service provider rather than the user, there is huge value in having a unique strong password per service, but that is difficult to manage without software like 1Password or Password Safe.

  • -SKELE-

    $17.99 for an app to store your passwords for you that can be breached with a single password… mmmm i dont think so… I think it is a single point of failure… setting yourself up for failure…

  • Andrew

    Apple’s new operating system does the same thing.

  • http://www.InTheCube.co.za/ InTheCube.co.za

    I use Keepass, and drop the password DB in my Dropbox account for syncing across all my devices. I then also use Lastpass.com as a secondary backup service, but only for passwords I use very often, and which can benefit from the Lastpass browser extensions which automatically fill in usernames and passwords for you.

    I don’t trust keeping my password DB purely in the cloud on some 3rd party’s servers. If they are hacked, go bankrupt, or their data centers are taken out by an act of God, then you’re screwed. You’ve lost a lifetime of passwords.

    With Keepass and the DB sitting on all my devices, I have multiple local hard copies, and I am in full control of the DB. Even if Dropbox is struck by an “act of God”, the DB will still be on my devices. It takes a bit more work to maintain 2 databases, but I think its worth the little extra effort.

  • http://www.InTheCube.co.za/ InTheCube.co.za

    As opposed to multiple points of failure using traditional methods? Do you have a better system in mind? If so, please enlighten us.

  • Greg Mahlknecht

    They both have their merits. Having “multiple points of failure” isn’t really a bad thing, because in this case only a subset of your security will fail, as opposed to the entire thing.

    I haven’t tried password mangers for a while – have they been updated to work with things like mobile phone apps (eg FNB), or do you still need to remember passwords for that? This is what put me off last time – IE and Chrome do a good enough job of remembering your passwords now, even between PCs – so that takes away the need to type in 90% of the passwords I need to.

    Personally I just use my meatspace memory and keep a backup in a service like Evernote which supports 2-factor authentication, for if I ever forget the password.

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.