Password: (noun) a variable length combination of characters, numbers and special characters, that gives their user a false sense of security.
We hear it all the time: a business was hacked, a database compromised, accounts ransacked, notification and liability, password cracked, blah blah blah. “How can this happen?” “Why didn’t they create a stronger password?” Well before you get too indignant, how well are you protecting your own data?
Is your password sufficient to stop the minions of organized crime, bored fifteen year olds killing time, or other ne’er do-wells intent on accessing your data?
It is difficult to remember different passwords, which is why 60-65% of people use the same password or similar passwords. This translates into it being more convenient to use your cat's name plus the month number and something about the website itself, then just change it every month. And that would look like this:
Amazon: (Puddy06Amaz) then (Puddy07Amaz) then (Puddy08Amaz)
Comcast (Puddy09Com) then (Puddy10Com) then (Puddy11Com)
And before you blame the cat for having an insufficiently difficult name, just think how silly it would be standing outside and calling “Here BH-jk!nhb#$@$n_8.”
So you can see it's just a matter of time before they get to your bank. How do they figure out the pattern? Look at your Facebook page, your Twitter, How often do you post about your favorite sports team, your pets, your kids, your hobbies? After they look at that, it's just a matter of time before they figure you out, and they have all the patience in the world.
You might slow the attackers down by using a passphrase instead of a password. Use a phrase from your favorite book, movie, or song. (1 phrase will rule them all!!) (I ain't never birthed no babies b4) (8 Days a Week)
Alternatively, have a password pattern for general accounts and a very different pattern for more sensitive accounts. Preferably one that you don’t plaster all over Facebook!
Then of course there are the other attacks, such as dictionary, malware, phishing and brute-force.
One way to help protect yourself is to get a password vault. With these you only have to remember one password or passphrase to unlock the vault and have access to your passwords.
Once you set it up, these vaults will randomly generate unique passwords for each website or account making it easier for you to reset passwords on a regular basis (a good practice to get into) and you don't have to make them up or remember them!
I'm not saying that businesses don't have responsibility in this; they need to get on board as well. How many sites do you go to where the passwords are restricted and:
- Has to be between 6 and 10 characters long
- Has to start with a letter
- Has to have at least 1 number
- No spaces or symbols
Really? That limits you so much and, again, just a matter of time with the right computer program to figure that one out.
And then you forget your password anyway, so you call them. Customer service tries to be as helpful as they can be: "Well, your password is a word and number." And when you still don't quite get it: "It's a place you might like to vacation and it starts with H" and by feigning forgetfulness, injected with humor, chatting up the Help Desk, you can get it narrowed down even more.
For the most part, people like you and me understand we are taking a risk, but we are still not willing to give up convenience.
How do you respond when your bank or other account calls you? Sometimes they ask for your zip code, date of birth, or address maybe to confirm they are indeed speaking with the owner of the account. But how do you know with whom YOU are speaking? You could call them back but that's inconvenient. Simon Davies of Privacy International suggests putting a nonsense word in the special instructions field on your account. Then when they call you, you ask them to read you that word. If they indeed are the bank, they have that word and can confirm it.
Technology is moving away from passwords and towards those things easier for us to remember and recognize on a personal level. We've seen pictures, for example, used with a pattern swipe, or face recognition. Right now that is still tied to a password or PIN and those are used as back up - so still hackable. But it's a move in the right direction.
Fingerprint recognition is accepted as highly secure and practically impossible to fool. But a Japanese cryptographer got past such a device by using Gummi Bears.
Kevin Mitnick, a famous hacker turned good guy, got around a voice authentication by using a program that fakes his phone number on caller ID. He then made sure that each number was represented, and, calling the CEO of the company he was testing with, asked the CEO if he had the "new" phone number and would he read it off to confirm it displayed properly. Now he had the CEO's voice with every number and broke in.
As data thieves get smarter and your one-size-fits-all password becomes less secure, it is important to routinely change your passwords and not use the same password on multiple sites. Being in the security industry, we see plenty of preventable data losses. While there isn't much you can do to prevent the next big breach, you can at least make it hard for data thieves to take your lost information and use it to access your other accounts.
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CEO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.