Easy-to-Remember Passwords Can Be Harder for Hackers to Guess
by Leslie Meredith, TechNewsDaily Senior Writer
June 13 2012 02:38 PM ET
CREDIT: Shutterstock: fuzzbones
June has already been a bad month for getting hacked. Professional networking site LinkedIn, dating site eHarmony and streaming radio site Last.fm all reported the theft of users' passwords, involving about 8 million accounts altogether.
If it hasn't happened to you already, your chances of having a password stolen in the future are high, but there are new tricks to keep an account safe even if hackers do get your password data.
All three companies advised their customers to change their passwords — LinkedIn went so far as to disable compromised accounts, forcing users to create new passwords — but that isn't enough. Because attackers have new strategies, many companies have responded with better protection methods. Combined, these two factors have changed what it takes to make a safe password.
In the "old" days, cybercriminals ran dictionary programs to reveal passwords. A piece of software could try billions of combinations every second to enter an account. That's why you've been warned not to use "real words" found in a dictionary.
Maybe you don't even use words, just a string of random letters, numbers and a special character thrown in to comply with so-called strong password standards. However, technology has advanced so that even seemingly random strings can be generated in a fairly short time.
Even that hasn't proved efficient enough for some cybercriminals. By breaking into online company records, they could steal passwords and associated user information en masse. Why hassle with a one-at-a-time approach when you could get a list of millions, ready to exploit?
Today many companies don't store account holders' passwords at all because it's too risky. Instead they "hash" the passwords, using algorithms to change a simple password into a long string of numbers. The next step is to "salt" the hash. If breakfast comes to mind, you're on the right track. You add salt to boost flavor, and companies add extra characters to hashed passwords to increase security. (As it turned out, LinkedIn neglected to use the salting technique.)
But the real problem for companies lies in the practice of using out-of-the-box programs to protect data. Duplicated security makes it possible for sophisticated criminals to decode stolen data. And that can be a problem for you.
What can you do? Security experts urge people to dump their eight-character passwords and consider 12 characters as the new minimum. Here's the difference. An eight-character password means there are 722 trillion possibilities for cybercriminals to try, based on 26 upper-case letters, 26 lower-case letters, 10 numerals and 10 special characters (such as the asterisk). A 12-character password increases the possible combinations to 19 sextillion (19 followed by 21 zeros) — a number that for the time being is too big to get through.
Length won't necessarily make your new password harder for you to remember. Any four common, unrelated words that add up to more than 12 characters is now considered one of the most secure password configurations. Use an entire sentence if the site will allow it; the longer the better.
But one safety rule that hasn't changed is to never use a password for more than one account that contains sensitive information, such as your online banking account.
It's unlikely that a criminal could do much with your LinkedIn password — these types of passwords sell for $1 or less on the black market, compared with the $850 that a bank account password can sell for, according to security firm Symantec. But if you've used your LinkedIn account password for your bank site, you could be in big trouble. Those cheap passwords are relatively easy to steal and are routinely used by cybercriminals to try to unlock accounts on more lucrative sites. That's why you should use a unique password for each.
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess," Randall Munroe wrote in his now-famous cartoon on the blog xkcd.com last year.
So pick four words that are easy for you to remember, and you'll be safer than you are today.