Tag Archives: passwords

The Weakest Link: “Forgot Your Password?”

Assume for a moment that I wanted to access some confidential files that belonged to you. You, having at least an ounce of sense (or an IT department that makes these decisions for you) have set a Windows password on your computer. How should I aim to access those files?

Well, there are a lot of ways. Here are a few:

  1. Install a keylogger on your system, wait a little while, then come back and search through the output looking for things that look like passwords, then try them. (Probably several hours, unless I’m really good at it.)
  2. Try to guess your password based on things I know about you, or try common passwords like ‘password1′ or ‘123456’, or look around your desk for sticky notes containing your password. (A few minutes, assuming it works—which is a comfortably low chance if you use a sensible password, but unfortunately a lot of people don’t.)
  3. Use software that will search for common passwords out of a dictionary or brute-force the password. (Probably days.)
  4. Boot up the system using a boot disc to bypass the Windows password, locate the files, and copy them to a flash drive. (About 5 minutes.)

Which do you think I’m going to pick? Obviously, the sensible choice is the one that’s the easiest, the lowest risk, and takes the least amount of time, which is number 4. If you look at these options, you’ll notice there’s something different about number 4: I have not broken the installed security system (by finding the password despite not being a legitimate user), I have bypassed it altogether. Instead of trying to find the password to the system, I’ve simply found a way to access those files that didn’t require me to know the password at all.

On web services, the bypass-the-password option comes in the form of that little link that reads “Forgot your password?” While this function is a godsend if you really have forgotten your password, without some care it makes it much easier for someone to access your account without your permission. This scenario is not the most likely way for your account to be compromised—nowadays it’s more likely that a poorly secured password database containing your information will be stolen and published on the Web. But if someone singles you out as a particular target for whatever reason (and it’s not as impossible as it seems), password resets are likely to be something they try. Fortunately, it’s not all that difficult to make password resets significantly more secure.

How Password Resets Work
Consider for a moment what happens when you use a password reset function. Usually the service does one or both of these things:

  • It sends a confirmation link to your email address, which will allow you to set a new password.
  • It asks you one or more security questions to “prove” your identity, set up when you opened the account, supposedly things that only you would know, then allows you to change the password.

I’ll look at each of these in turn.

Email Link Reset
Services that simply send a link to your email address are the simplest case. As a would-be hacker, all I have to do is gain access to your email account, and I can easily reset the password on another site that I don’t know the password to. This may not seem like a big deal—after all, I still need to access your email account—but most likely you have twenty or thirty different accounts that will all happily send password reset links to the same email address in the same day. So if I can gain access to your email account through whatever means, even if you have the best unique passwords set up on every other account, I can still access every one of them.

This is pretty simple to fix, though:

  • Never, ever reuse the password you use on your main email account for any reason. Even if you use the same password for everything else (which I don’t recommend, but if you must do it, you must), use a unique one for your email.
  • Make that password a strong one: at least 20 characters, using letters, numbers, and symbols, and nothing easily guessable, such as your phone number, spouse’s or pet’s name, zip code, birthday, and so on. (Actually, guessable things are not in themselves bad—but they need to be combined with something completely unrelated to be secure. Your birthday is a bad password; your birthday combined with a random dictionary word and the last four digits of your phone number when you were six is a good password.)
  • Set up two-factor authentication on your email account if you can. It’s extremely effective and surprisingly unobtrusive.
  • Make certain that you’ve always logged out of your email account when you’re done using it on a public computer. Not only does it help keep you secure on other websites, at least one court has ruled that it’s legal to read someone else’s email if they neglect to log out. If you ever do forget to log out, many services have an option to log out other sessions (in Gmail, if you click the “Details” link in the lower-right-hand corner of the page, there’s a button labeled “Sign out all other sessions”).
  • If you have an “alternate” email address set in your email account’s settings (for recovering the password to your email account), double-check that that account is also secured in the same way. From personal experience, I can attest that this is a “D’oh!” moment if it happens to you.

Some people recommend setting up a different email account reserved for signing up for web services (to keep password reset emails more secure). Personally, I’m too lazy to check my email at two different places (for obvious reasons, you shouldn’t have that mail forwarded to your other email address), and I’m confident enough in the security of my main email account that I’m not worried.

Security Questions
Some people think that security questions are an effective and useful security measure. They’re dead wrong.

Actually, security questions have become popular partly because of a misunderstanding of the theory behind two-factor authentication. In security theory, there are three ways to authenticate yourself: something you know (a password or something more unique like a series of pictures where you must choose the right one), something you have (a token that displays different numbers, a smart card, an RFID tag, or an encryption key on a flash drive), and something you are (a biometric reading such as a fingerprint scan, voice print,
or face recognition).

Two-factor authentication consists of using two different types of authentication (in most implementations, a password—something you know—and a token—something you have). However, people heard that two-factor authentication was good, decided that security questions were “two-factor authentication” because you had to authenticate two different ways, and “Wish-It-Was Two-Factor” authentication was born.

It is often said that “good” security questions have four characteristics:

  1. The answer cannot easily be guessed or researched.
  2. The answer doesn’t change over time.
  3. The answer is memorable.
  4. The answer is definitive/simple.

Looking at how tough those requirements (plus a fifth one, that the question needs to apply to most of your users) are, it’s no wonder that nearly all of the questions you see are bad!

Let’s look at where some common questions go wrong:

  • “What is your favorite movie?” This fails on count 2. You probably won’t need to reset your password for months if not years. By that time you’ve almost certainly forgotten what your favorite movie was at the time, if you even had a well-defined one to begin with. Even if you could somehow remember what your favorite movie was on any day during your life, you’d still have to remember when you created your account for that knowledge to be useful.
  • “What city were you born in?” This fails on count 1—it can be found easily in public records. Even if I couldn’t find it with some good research, it’s quite likely you’d give me this information if I asked you, as it doesn’t feel very sensitive.
  • “What is your date of birth?” This isn’t usually presented as a security question, but it is often used for verification. The majority of people have their birthday listed on Facebook, for one, and even if not, once again, it’s in public records. Alternatively, I could call you up and pretend to be conducting a survey or something similar and ask you for your birthday, and you’d probably give it to me.
  • “What is your favorite color?” This fails on count 1 in two different ways. First of all, there are only so many colors that people will describe as their favorite. If you simply type in “blue,” you’ll get it right a very good percentage of the time (according to one survey, a whopping 36 percent of the time averaged between genders). How many people are going to describe their favorite color as something that’s actually somewhat difficult to guess like “light chartreuse” or “burnt orange”? And when was the last time you asked someone what their favorite color was and they told you, “No, that’s private information”? If you can’t find it anywhere, you can just ask.

The Solutions

So what can you do about bad security questions? There are two options I like:

  1. Make up a fake identity of security questions, store them in a file or on a sheet of paper, and read off it anytime you need a security question. You can store it in your email account if you need to be able to access it anywhere (you made sure your email account was secure, right?). If you want to make it even more secure, you can make up answers that are completely unrelated to the question (e.g., “What is your favorite pet’s name?” / “Wal-Mart”). This takes a little while to set up, but you can feel confident that you’ll never accidentally reveal the answer to a question, and you have at least some security in the event that someone does discover the answer to one of the questions, as you don’t have to use the same one on every website. Here’s the list of 13 questions that I use (with my answers removed, of course).
  2. If that sounds too complicated for you (and for most people, it probably is), simply make up a password and enter it every time you are asked for a security question. It doesn’t matter one bit what the question is. (If you want to get a little bit more secure, you can add something to the password based on the name of the site or use two or three passwords based on the question. This password will never change (unless it’s compromised and you need to change it, of course), is always memorable and applicable to you, and is not researchable, since it’s not an answer, it’s a password.
Other options that are not as good as these but are at least better than nothing:
  • Replace letters with numbers or symbols in your answer as if it was a password you were attempting to obscure. This can usually be cracked easily by a password dictionary, but hopefully nobody will be trying a password dictionary on your security question, since it’s not supposed to be a password.
  • Even if you must use the actual question and answer with an actual answer, if you’re given the option to choose your own question, use it. But make it something good—it should pass those four guidelines at the beginning of the section for you.

I’ve had some fun in the past asking security questions like “What is 2 + 2?” and making the answer something that’s not even a number. The look on the face of a would-be hacker as he or she is informed that the answer is not 4 is priceless. (I was in the same room with a friend when she tried to access my Gmail account as part of a prank once.)

Here’s some more reading on security questions if you’re interested:

All the good security questions in the world won’t save you from social engineering. In several high-profile cases, customer service representatives have allowed unauthorized users to access accounts even though they didn’t have the answer to the security questions. Of course, there’s nothing you can do about this—just do what you can and hope that none of the things you can’t fix get you in trouble. And if you’re in charge of a web service or business, make clear security guidelines and stick to them (I highly recommend The Art of Deception by Kevin Mitnick—it’s written specifically for businesspeople looking to improve their company’s security, but it’s very enlightening reading for anyone).

So what can you do right now? Most importantly, go to your email account right now and check your security. If you have weak security questions, change them. If you have an alternate email address, make sure it’s secure (or simply remove it from your account; it’ll make it a little bit harder if you really do lose your password, but it will increase your security). And if you don’t have a strong, unique password on your email account, change it! If you can only follow good password guidelines on one account, make it your email.

As for other sites, if you don’t want to go through and change all your security questions now, at least try one of these methods the next time you’re signing up for an account.

LastPass: How to Use Better Passwords Without Losing Your Mind

Last week (well, last post—I never got around to publishing for the last two weeks) I talked about why passwords are getting easier than ever to crack. If you haven’t read that article, you should read it now, because if you don’t, you’re going to give up before you get through this article.

Yes, I told you it wouldn’t be too easy. Well, it’s not exactly difficult, but it means an hour or three of work for you. But guess what: that’s a lot less trouble than you’d have to take if somebody got into one of your accounts and started screwing up your life. And given how easy it is now, it’s no longer a crazy, improbable possibility.

Besides keeping your passwords safer, LastPass can help you in other ways as well. It can fill out forms for you (of course, there are other tricks for doing this faster as well). It can keep track of what accounts you have on the Internet, which might seem unimportant but is really nice if you visit a site that you vaguely remember and can’t remember if you had an account already set up for. And guess what: you’ll never again sit at a username and password prompt and have no idea what to type in. It may be a small annoyance, but the more small annoyances you fix, the better your life will be.

Here’s how to get going and secure your life. I’m going to take you through some steps that may seem paranoid, but will greatly increase the likelihood that you remain secure not just now, but in the future. (For instance, a strong twelve-character password may be acceptable now, but in five years it may not be anymore. Therefore, I recommend a twenty-character password or better.)

If you can’t read any screenshot below clearly, you can click on it to display it full-size.

1: What Is LastPass?

LastPass is a browser extension that acts as a password manager. It adds a small LastPass button and right-click menu to your browser somewhere, as well as prompting you to autofill a password when you visit a page containing a login form:

The Firefox LastPass extension. In this screenshot, LastPass has been set to autofill the password into this site—all you have to do is click Login. The LastPass button is circled in the upper-right-hand corner.
The Chrome LastPass extension. It's very similar to the Firefox one. In this screenshot you see LastPass prompting you to fill in the login information rather than automatically filling it (this happens the first time after you enter a site and if you have multiple logins for a site).

LastPass can synchronize your data across multiple computers using the browser extension, so you can use LastPass at home, at work, and on your tablet or smartphone. You can also log onto the LastPass website if you need to access a password from a different computer (you can’t autofill, but you can copy and paste your password, which is good enough for occasional use).

However, you’re not giving your passwords up to LastPass for this convenience. All your data is encrypted on the client side, which means the browser on your local computer deals with everything. The folks at LastPass can never access your data, no matter if they’re curious, get hacked, or have a court order to retrieve your passwords. And the encryption would supposedly take trillions of years to crack with current computers—even if that’s a high estimate, nobody is getting to your passwords anytime soon. (LastPass has a nice page about their security, but I can’t seem to find it right now. If you’re still worried, try to find it, and if you do, post the URL in the comments for me.)

Unless you have an amazing memory or love sitting around memorizing strings of characters, you need a password manager to be fully secure in today’s world. If you don’t want to use LastPass for whatever reason, poke around the Internet and look for a different one (I don’t know of any other ones that can synchronize across the Internet, although you can still sync them using Dropbox or a similar service). Some popular ones include KeePass(X), RoboForm, and Password Safe. The rest of this article will focus on LastPass because I find it to be the easiest to use and most feature-rich.

2: What LastPass will not do

LastPass does not work miracles. It is a useful tool that helps you keep track of secure passwords, but simply getting a LastPass account will not magically increase your security. (This seems to be a fairly common misconception.) For it to work properly, you need to do a few other things:

  • Use a strong master password (and, preferably, two-factor authentication). If your password is “password,” all the security measures in the world will be useless.
  • Get all your passwords into LastPass’s database. If you don’t know where you have accounts on the Web, it’s going to be difficult to secure them.
  • Once you have them gathered together, change all your passwords to something more secure, ideally randomly generated.
  • Don’t do anything stupid. Don’t leave your LastPass account logged in on a public computer, write your master password on a sticky note on your monitor, or anything else. Common sense applies.

Ready to start? It’s probably best to wait until you have about forty-five minutes free to do the initial steps.

3: Choosing a Master Password

Before you create your account, you should choose a master password. If you’ve never made a strong password before, this is probably going to cause a few hangups for you. Your master password should be at least twenty characters long. Twenty-five or more is better.

There are a lot of different ways to get a good password. The one I typically use is to pick two or three phrases or words (randomly, using whatever inspiration you want) and string them together, often with some sort of numbers and/or punctuation in the middle. If you do this, it doesn’t matter if one part of the password is fairly guessable by itself—the strength is provided by the fact that two completely random things have been joined.

Here’s one of mine as an example (I don’t use it anymore, of course):


The second part of this password comes from the phrase “You can’t spell evil without vi.” If you don’t know anything about Unix/Linux, you probably don’t get it—which is all the better, because it demonstrates that most people probably wouldn’t even guess the original phrase, without my modification and the first part. The first part is a reference to the fact that gnus are related to *nix and can be remembered by thinking “the gnu is saying the following phrase.”

I could make this password even more secure without too much loss in memorability by capitalizing a random letter or two: 1-stuffed-gnU:no-evIL-wo-vim, or, slightly less secure in terms of guessing but useful if I needed a bit more help to remember, 1-stuffed-gnu:no-eVIl-wo-VIm. I could also add another number somewhere: 1-stuffed-gnu25:no-evil-wo-vim. (The 25 translates to “nose” in my modified version of the Major System, so I could remember this as “stuffed gnu nose.”)

If you don’t like my technique, another good one is using the initials of a phrase. Don’t pick a common phrase or a phrase from well-known literature (if you pick a Bible verse, for example, it is quite easy for a dictionary cracker to try every single verse in the Bible in just a few minutes). You should combine this with something else if you want a 20-character length. Names and birth dates work well when used in combination with something else. (Using only a name with a number after it is a recipe for disaster: cracker programs are available that can hack all common name+number combinations in only a couple of minutes.) You can hunt around the Internet for other good techniques; just be sure to take the sources with a grain of salt (if somebody on Yahoo Answers tells you that a six-character password of your initials repeated twice is a good password, they’re wrong).

“But I won’t remember this password!”

You can really remember pretty much any password of reasonable length, no matter how insane it is. The only thing you have to do is use it. If you enter your password enough, you’re unlikely to forget it, and if you do it even more and you’re a touch-typist, it’s likely the password will even be engraved into your unconscious memory—you can type it without thinking about the words. When I create a new master password for any encryption or password software, I type it ten times right afterwards, ten times later that day, and ten times the next day. As long as I use it regularly after that, I’ve never had trouble remembering my password.

You also get a password hint to help you out; see two paragraphs down.

If you really feel you need to, write down your master password and put it in a safe place. (If you usually keep your wallet with you, it’s probably pretty good—if you lose it, you should notice and have a chance to change your password.) After a few days, once you’re sure you know your password, it’s best to destroy it or put it somewhere really inaccessible, like a safe deposit box.

That said, keep in mind that there is no way to recover your LastPass master password if you forget it (remember that LastPass can never see your data?). This is of course the sensible way to handle information this secure, but most of us are so used to clicking the “Forgot your password?” link that we take it for granted that we can recover passwords anytime we forget them. However, while you can’t reset your password if you forget it, you can provide a password hint that will be emailed to you if you click the “forgot password” link. Since nobody but you will ever see this unless your email account is hacked, you can safely describe the parts of the password (for my example+numbers password, I could say something like “speaker’s nose: evil vim”). Chances are very good that that will be plenty to jog your memory.

At the end I’ll also talk about backing up your password list, so that even if you do forget your master password you won’t be totally screwed.

4: Signing Up

Phew, we’re 1500 words into this article and we haven’t even created an account yet? Don’t panic; in my experience the master password is usually the biggest mental hurdle for new users to overcome.

You can sign up for a LastPass account in several ways, but if you use this referral link both you and I get a free month of LastPass Premium.

Scroll down to “create your account” and fill in your email address, your shiny new master password, and a password hint, as described in the previous section.

You can uncheck “Keep a history of my logins and form fills” and/or “Send anonymous error reporting data…” if you’re really paranoid, but otherwise they should be fine. You do have to check the first two boxes, though. If you picked a good master password, the bar will probably be full.

In case you didn't get the warning that there's no way to recover your password yet, here you are. Take heed of the warning but don't do anything stupid because of it, like writing your password on a sticky note and putting it in your desk drawer.

Click the Download LastPass button and proceed through setup. This step will be different for each operating system and browser, so I won’t walk you through it (it’s not difficult). At some point during the process, you will be prompted to import all “insecure” passwords that are currently stored in your browser’s memory. You should accept this offer and the one to have them deleted from the old storage, as they’ll be safely retained in your new LastPass Vault. You may be shocked to discover how easily LastPass can tell you exactly what all those passwords are—that’s why it’s not a very good idea to store your passwords there!

You may need to restart your browser(s) to install the LastPass extension(s). (If you have multiple browsers, the extension should have been installed in all of them.) After you see the LastPass button (an asterisk with a black background, or a red background if you’re logged in) in your browser, you can click it to log in. There are two screenshots way up at the top if you’re confused.

5: Getting Your Passwords Into LastPass

Adding a new password to LastPass is easy:

Step 1: Go to the site you wish to add and sign in as normal.
Step 2: LastPass will display a bar at the top of the screen (the color depends on your browser and theme settings) asking you if you want it to remember this password. Click Save Site.
Step 3: Name the site and select a group. If you don't care much for organization and don't have too many passwords, you may choose not to group your passwords and just use the URL of the site. I, on the other hand, have nearly 100 entries in my LastPass database (not all of them are websites), so I organize things carefully into groups and give them friendlier names.

The only difficult or annoying part of this process is that you have to repeat it for all the accounts you have on the Internet. The easiest way is to take about a two-week-long break at this point. Every time you want to sign into a website, make sure you’re logged into LastPass (the icon will be red), then log in and make sure to click the “Save Site” button. For now, you’re done—go ahead and put continuing this on your calendar for a couple of weeks from now. Just don’t forget to keep adding those passwords (and don’t forget to come back or you won’t be any more secure than you were before).

If you want to speed the process up, there are a couple tricks. Obviously, if you currently have a pad of paper or a Word document containing a long list of passwords (shame on you), that’s a pretty good place to start. Another trick is to search your email for terms like “account” or “password reset” to remind yourself of what websites you have accounts with (since most websites send service messages to your email, as long as you archive your email this should work fairly well). It’ll probably be months before you have every website in your database, but as soon as you have a fair number of the ones you use frequently, you can proceed on to the next step.

6: Changing Your Passwords

Did you take a good break to find some of your accounts? Good. If you haven’t done it yet, it wouldn’t hurt to try some of the tricks in the paragraph immediately above, like searching through your email or password files. (If you haven’t added one to your database yet, just go to it and log in.)

Although you now have a nice, neat, comprehensive list of all (most of) your accounts and passwords, you’re not any more secure than you were when you started, even though you have a nice fancy password manager. In order to increase your security, you need to change the passwords.

Changing a password can be a bit of a challenge at times; it’s not always the most accessible option. (On one memorable occasion, I had to resort to an eHow article to figure out how to change my Comcast email password.) Fortunately, LastPass has a handy feature to help you out: the security check. The security check runs through your passwords and gives you a report of which passwords are duplicates and which have low strength. To use it, simply open your vault (LastPass button → LastPass Vault) and click the “security check” link on the left-hand side, then click the huge “Start the Challenge” button.

You’ll get a big score (90.1% in my case), a rank, and a short list of the criteria that it used to determine your score. That’s good for seeing how generally secure you are, but the real meat is underneath, where there’s an exhaustive listing of all your LastPass accounts, their strength, which have duplicate passwords, and (if you enable it) the exact plaintext password of each. Here’s a small snippet of mine (usernames blurred for security):

Sometimes you get a terrible rating on an account with a password that you can't change (for instance, on the top one, the username is the real password, as it's a string of random numbers, while the password is the first two letters of my last name). But most of the time, a low score indicates that you have a poor or duplicated password.

When you see that you have a poor rating on a site, you should click the “visit site” link, log in, and find the “change password” option. I’ll change my Amazon password because it’s currently a duplicate (though a strong password).

When changing a password, LastPass helpfully offers to fill both your current password and a new password.

After reaching the password change page, click “fill current” to enter your current password. Then click “Generate” to bring up the “Generate Secure Password” dialog box. A random password is about as secure as you can get: there’s no way to guess it aside from brute force. You probably can’t remember it, but that’s what your password manager is for—you only need to remember that one master password.

However, LastPass’s default settings really don’t produce a secure password. Here are my standard settings:

Here are good standard options. Your password length should be 20 or 25 (or more, if you want)—as there’s very rarely any need to type it, there’s little advantage in making it shorter. “Avoid Ambiguous Characters” is useful if you expect you’ll need to type it or copy it—it excludes characters like l, 1, I, and i, so that you won’t make errors because you couldn’t read the password.

Sometimes, though, you’ll encounter a website that imposes silly restrictions, like “the password must be exactly 7, 12, or 62 characters in length” or “the password must consist of exactly two numbers, two special characters, one composed of only straight lines and the other only curves, and thirteen consonants, alternately lowercase and capitalized.” (Okay, they’re not usually quite so bad, but sometimes they feel like it. Once I was trying to change my Yahoo password and was informed that my password could not contain any part of my first name. All well and good, but many moons ago I’d entered my first name as “S,” so my new password was not permitted to contain the letter s.) In this case, simply come back to this dialog box and fiddle with the options until they produce a password that meets the guidelines.

Once you’re done, click “generate” (the password doesn’t update to match your settings until you do), then “accept.” LastPass will fill in your new password. Click the accept or continue button on the website.

This final step is extremely important. After clicking accept, you will receive a notification bar that says “LastPass detected a password change….” Click “Confirm.” If you don’t, LastPass will continue attempting to log in with the old password and you’ll be unable to access the site. (The generated password is always saved as “generated password for x.com” until or unless you click save, so you’ll never completely lose your password and be locked out due to this. Keep that in mind in case it happens to you.)


If you follow these instructions, your passwords should be secure for the most part. It’s a lot of work, but the next time one of your passwords is compromised, you’ll be pretty happy. (I haven’t had a website lose my password information yet, but I have accidentally pasted my password into a live chatroom, twice. It’s a pain when you only use a couple of passwords and have to change them all in an afternoon.)

Next week I’ll talk about increasing the security on your LastPass account itself, as well as some more things you can do with LastPass (filling forms and storing software license keys). Additionally, I’ll discuss how to back up the contents of your LastPass account.

After the LastPass stuff is done, I’ll continue with security and talk about what you should do if one of your accounts is hacked. I’ll also deal with how you can protect yourself from other attack vectors that may allow people to bypass your passwords entirely.

Comments, questions, and problems are welcome.

Why Passwords Are Getting Easier to Crack

I’m going to do a security series over the next couple of weeks, inspired by last week’s post. This week I’m taking a look at an Ars Technica article I read today, called “Why passwords have never been weaker — and crackers have never been stronger.”

It’s a long article, but if you have a few minutes, I highly recommend it, especially if you’re interested in security. The most important thing to take out of it, though, is that password cracking is making extremely rapid advancements–the past couple of years have brought nearly as much new information to the field as all the rest of cracking history combined.

This is due primarily to an increase in password databases being stolen and cracked, which gives both security analysts and malicious hackers a prime opportunity to see what kinds of passwords people use in the real world. As a result of all the information, password dictionaries have gotten orders of magnitude more effective, making choosing a good password more important than ever.

And get this: what you thought was a “good password” almost certainly isn’t. Here are a few things that the bad guys are onto now (mostly sourced from the Ars article, with a bit of personal opinion and other general consensus in security fields included):

  • You know those websites that make you include a number and a capital letter (and maybe a symbol) in your password? Turns out those requirements really do essentially nothing, except perhaps annoying users and making them more likely to write down their passwords or otherwise store them insecurely. Nearly all capital letters are the first character of passwords; nearly all numbers and symbols are at the end of passwords. Most of the time, people just capitalize the first letter and stick a ‘1’ on the end. If they’re feeling more clever, they might change an ‘e’ to a ‘3’ or a ‘t’ to a ‘1’–all those substitutions are in the dictionaries too.
  • Shifting your hands sideways on the keyboard or going around keyboards in patterns are in any good dictionary now, too. The same goes for spelling words backwards or both directions. If you’re not sure whether your password trick is secure, here’s my personal rule of thumb: If you think you’re being clever, you probably aren’t.
  • A $12,000 computer called “Project Erebus” can crack the entire keyspace for an 8-character password in just 12 hours when run on a database that has been stored poorly (which is, unfortunately, most of the companies involved in data breaches lately). That means if your password is 8 characters or less, this computer will always get it in 12 hours or less, no matter what it is. 8 characters used to be a secure password (it still was when I wrote about passwords in 2009); now 8 characters is a terrible password (though still a good sight better than 7 or 6 characters, since password strength increases exponentially with each additional character). This computer is not particularly special; anyone with a few grand to spare and a bit of computer smarts can put together a few graphics cards into a solid password-cracking machine nowadays.
  • Average desktop computers equipped with good graphics cards can test about eight billion passwords every second against a file of encrypted hashes (those are what you usually get when you steal a password database from a company).
  • The average Web user has 25 accounts but only 6.5 passwords. In my opinion, reusing passwords is even worse than using bad passwords. And that’s despite the fact that just about everybody reuses their passwords at least occasionally. That’s because if somebody gets your password from one site, no matter if it’s “hu!-#723d^*&/”!q4,” they can get into your other accounts as well. If you have a bad password and it gets cracked, at least the damage is confined to that one site (unless it’s your email account, as described at the very end of last week’s post).
  • A large number of passwords consist of first names (or worse, usernames) followed by years. There are now dictionaries of names pulled from millions of Facebook accounts which can be used with programs that try appending likely numbers (such as possible years of birth) until a match is found. A good graphics card can crack your password in roughly two minutes if you use this type of password.
  • A number of attacks depend on the companies that store your data being stupid. For instance, there’s an easily implemented method called salt that makes cracking password databases far more difficult (and one method called rainbow tables completely impossible). It’s been around for years. And yet Yahoo, LinkedIn, and eHarmony, among other major companies, were caught dead without it when they lost password databases recently. The same goes for using better cryptographic hashes for encrypting password databases–using a good hash can make a database essentially uncrackable (2,000 tries per second as opposed to several  billion), but most services still choose to use a poor one. Unfortunately, there’s not really anything you can do about this, other than contact technical support and boycott them if they don’t follow best practices (and given how bad the standards are, you can expect to not be using very many websites). You can, however, mitigate the possible damage by using a different password for every site so that you will have lost less if your password is cracked.

Now is a good time to remind yourself that two-factor authentication would help prevent anybody from logging into your account even if they cracked your password, isn’t it? Next week I’ll be back with some practical tips for making and using better passwords.