How to Find Happiness in a World of Password Madness
In early August, Wired reporter Mat Honan had his most precious passwords hacked via a complex series of social engineering exploits. The breach made headlines because it exposed security flaws in Apple and Amazon customer service policies; but lets not forget that the Honan saga capped a long summer full of server invasions that exposed millions of user passwords en masse.
Wed, September 19, 2012
PC World —
Slideshow: The Worst Data Breaches of 2012 (So Far)
In June, hackers stole some 6.5 million LinkedIn passwords and posted them online. That same month, intruders compromised about 1.5 million eHarmony passwords in a security breach, and in July hackers grabbed 450,000 Yahoo Voice passwords. Among the most common passwords used by those Yahoo members: "123456," "welcome," and the ever-popular "password."
The fundamental problem isnt that these sites should have done a better job protecting user data (though they should have). And it isn't that users chose passwords that were exceedingly easy to crack and then recycled the same flimsy passwords at every site where they registered (though they did).
The problem is that passwords have become self-defeating, often impotent tools in the grand scheme of digital security. We need too many of them, and the strong ones are too hard to remember.
To use the Net these days you have to have dozens of passwords and logins, says Terry Hartman, vice president of global security solutions for Unisys. Every time you go back to a site, it feels like theyve introduced new rules to make passwords more complex. Eventually, users revert to using one password for everything.
In short: The password system is broken. All of the passwords breached in the LinkedIn, eHarmony, and Yahoo exploits had been "hashed"that is, the actual passwords had been replaced with algorithmically generated code. This transforms the passwords stored on servers (and stolen by hackers) into alphanumeric gobbledygook. Still, if your password is as simple as, say, "officepc," a hacker can easily crack it even in hashed form by using brute force or a rainbow table.
But all is not lost. Complex passwords infused with numbers and special characters (and bearing no resemblance to a real name or word) give you a fighting chance against hackers, and you can store these codes in a handy password management app. Websites, meanwhile, are doing more to beef up security at their end, requiring multifactor authentication, and it looks as though biometric technology will soon be employed for mass-market security as well.