Fragile: Passwords May Be Cracked or Broken

Sometimes when you buy something breakable--like a crystal vase, or a big screen TV--the box is plastered with stickers alerting you in bright red letters that the contents are “fragile”. Perhaps we need to start putting those notices on computers and mobile devices as well.

To be fair to passwords, most users still don’t follow basic practices that have been drilled for years. The mantra of choosing long, complex passwords that can’t be easily guessed or cracked has been repeated time and time again. Everyone knows that they’re supposed to choose passwords comprised of uppercase and lower case letters, numerals, and special characters.

The problem is, many people still just don’t get it, or don’t care. Microsoft revealed in its most recent Security Intelligence Report that 92 percent of the Conficker infections still plaguing Windows PCs are a result of weak passwords. Millions of PCs are being compromised because people continue to use “1234”, or “password”, or other equally silly, and easily guessed passwords to “protect” their systems.

But, there are no guarantees even for users who choose a 17-character password made up of a mish-mash of characters that are pure gibberish and wouldn’t be guessed in a million years. Even a great password is often still the weakest link in the security chain because it is generally the only key preventing unauthorized users from accessing a device, or viewing data.

For example, some Mac OS X users with very complex passwords are still at risk. Security researcher David Emery uncovered a flaw in Apple’s Mac OS X that may expose passwords in certain scenarios. Mac OS X 10.7.3--the latest update for Mac OS X Lion--may be storing passwords in clear text for anyone to see. A developer apparently left a debug flag enabled that captures and stores logon passwords in clear text in a debug log file.

Does that mean users should give up and not even try to choose complex passwords? Absolutely not. Flaws like the one discovered in Mac OS X are not that common, and as long as people continue to use weak passwords attackers won’t have the incentive to develop more sophisticated attacks. The “1234” and “password” passwords will remain the low-hanging fruit, and if you just choose a reasonably complex password and never share it with others you should be relatively secure.

To take it a step farther, you should also use unique passwords for various sites and services. If you use the same password everywhere and it does somehow get exposed or compromised, the attacker would have the key to everything. If you mix your passwords you can contain the damage.

Incidents like the Mac OS X flaw illustrate, however, that passwords alone remain a security weakness. Two-factor authentication often involves something physical like a USB key, or a PIN sent via SMS text message to a smartphone. Two-factor authentication is a more secure approach that would prevent an attacker from breaching your PC or accessing you data even with a compromised password.

Make sure you use strong passwords. Just be aware that a password alone can still be a fragile form of security.

Subscribe to the The Advisor Newsletter