Security

Surprise! Passwords Are (Still) Weak Link in Security Chain

Despite predictions that the password will fade into obscurity, or the rise of alternative methods of authentication such as fingerprint scanners, the username and password are still the default method of accessing secure accounts and information. Unfortunately, weak passwords, and poor password practices mean the password isn't providing very good protection in many cases.

A survey conducted on behalf of Webroot uncovered some concerning--yet not all that shocking--details about passwords. It would be nice to say that the survey results are startling, but the reality is that surveys such as this show year after year that users continue to follow the same poor password practices, and that passwords continue to be a weak link for computer and information security.

Passwords as Achilles Heel

Passwords are the primary keys to the digital kingdom, yet users show consistently poor judgment when creating and managing them.
Webroot found that the most commonly used password-protected sites or resources are banks (88 percent), personal e-mail accounts (86 percent), and Facebook (72 percent). In other words, the vast majority of users rely on passwords to protect very sensitive financial and personal information.

But, the Webroot survey also found that:

• 4 in 10 respondents shared passwords with at least one person in the past year.

• Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised.

• Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

• 2 in 10 have used a significant date, such as a birth date, or a pet's name as a password--information that's often publicly visible on social networks.

In Video: Disaster! How to Retrieve a Lost Windows Password

Reality Distortion Field

Webroot also uncovered a significant contradiction between how secure users believe their passwords are, and the reality demonstrated by their password practices. While half of the respondents believe their passwords are either very or extremely secure, the survey found that:

• 86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers.

• 14 percent never change their banking password.

• 20 percent have used a significant date in a password.

• And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer.

Secure Passwords Are Easy

1. Don't use personal information. Details like your wife's name, your oldest child's birth date, the car you drive, or the name of your dog are information that can be learned through casual conversation or discovered with a simple Google search.

2. Mix it Up. Don't use any word that can actually be found in the dictionary. You can mix things up by substituting special characters for actual letters to create more secure passwords. For example, rather than using "pepperoni", you can use "p3PP3r0n!". The base word will still be easier for you to recall, but cracking "p3PP3r0n!" will take significantly more time and effort than the trivial dictionary attack it would take to crack "pepperoni".

3. Use a Passphrase. Some password cracking tools are sophisticated enough to infer the obvious character substitutions. In other words, after exhausting the dictionary words, the password cracking tool will move on to trying all dictionary words using standard character substitutions--meaning even "p3PP3r0n!" might not take long to fall. Try using a sentence you can remember, like "I love to eat pepperoni pizza with extra cheese," but take the first letter of each word and apply some special characters. Using this example, your password could be "!L2eppwXc"

4. Protect Your Passwords. Never share your password. No, I did not say be cautious or show discretion when sharing your password. I said NEVER share your password. No reputable vendor or site will ever ask you to divulge your password. They might reset it to some default for troubleshooting purposes, but nobody should ever ask you what your password is. Your password is personal and private and is just for you. Any time someone asks you to share your password, think of it as if they said "go stand naked in the middle of a busy intersection". If you wouldn't be willing to do that, then don't share your password.

Subscribe to the Security Watch Newsletter

Comments