A study by Ofcom, the UK communications watchdog, has unearthed some appalling statistics which reveal just how badly the general public treat password security.
According to Ofcom’s “Adults’ Media Use and Attitudes Report 2013” report, a poll of 1805 adults aged 16 and over discovered that 55% of them used the same password for most – if not all! – websites.
Why does this matter? Well, imagine you are a member of websites X, Y and Z – and you use the same password on each site. If X suffers from a data leak and their password database is accessed, or if hackers manage to work out your password for X, then the bad guys will not only have access to your X account, but Y and Z as well!
If that weren’t scary enough, just over a quarter (26%) said that tend to use easy-to-remember passwords such as birthdays or people’s names, opening the door for their online accounts to be hacked into by criminals.
It’s worrying that so many people are making life so easy for cybercriminals and identity thieves, when it’s actually remarkably simple to make strong password security a part of your everyday life.
In my experience, many people say that the reason they use the same password in multiple places, or choose passwords that are easy to guess or crack, is because they believe it’s too difficult to remember different passwords for different websites – especially if they’re being forced to use non-dictionary words or throw some funny characters into the mix.
And you know what, they’re right. It *is* too hard to remember lots of passwords – even if you use a system like the ones in the following video:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
And that’s why the video also recommends using password management software – sometimes known as a password vault – like 1Password, KeePass and Lastpass.
Password management software can remember all your hard-to-crack passwords for you (they can even generate them to make sure they’re super complex), and store them securely behind one master password.
Just make sure that your master password is really strong and not one that you’ll forget (use the video above to help you create one).
Take care out on the net, and fix your passwords today!
Image of Man wearing dunce hat courtesy of Shutterstock.
Until the OS's have great complex password generation and management for everywhere a password is set and this is enforced
And what if someone hacks into the password vault? There's a million what if scenarios and you can't prevent them all. I do not see an issue with having most of your passwords the same as long as it is a complex password.
You don’t want a skeleton key to your life… Just because my e-mail gets hacked, doesn’t mean my bank / Amazon / Xbox Live / Facebook gets hacked also… At least make it hard for people to steal your identity, good security measures are the only thing you have to protect yourself.
Yup, it'll even make it less secure considering the statistic was for people using the same password for most, but not all sites. That means they use 2 or 3 in total probably. So the master password makes it easier to access every account you have.
I guess the theory goes that you can protect the vault on your machine, or more that you control it. Whereas if 1 shoddy website (I have worked out that some big websites with NO encryption) then everything can automatically be tried later on.
If your complex password is stored in plain text on a website that is cutting corners, and that website falls to a SQL injection attack, suddenly your complex password is an easy to use key to all your other sites.
However, there's an answer: use contextual passwords. Have a basic passphrase of some sort, and modify it based on the context of where you're using it.
In the simplest form, you can use a phrase like "I went to nakedsecurity and all I got was this 1000-character password!" as the basis for your password. It's got upper and lower case, punctuation and numbers. Easy to remember, and each password will be different.
Of course, this will be obvious to anyone actively trying to compromise your other accounts who gains access to one of these passwords. So you can always add some layer of obfuscation, such as salting the phrase (with "1337" speak or similar), shifting your fingers on the keyboard (works for smartphones too, as long as you use the same key layout) or some other method. You can also make the phrase into an acronym for sites that require a short password (8 characters is pretty standard, even though it's not really all that secure anymore).
Or, you can take all of these and combine them with Graham's technique in the video; add some context before generating your password; change the context, and the generated password changes too.
Personally, I use different complex passwords for the things that matter like bank accounts, Facebook, and email, but the majority of sites get my boilerplate password because it's simply not worth the trouble.
Same here. If I need to register on a technical forum to ask a one-off question about a product then I don't think my life will be significantly worse if a couple of years down the line somebody gets into that forum and pretends to be me. The personal details they would find would be the same as on the site they compromised to get my password (except for the email address, which is likely to be a disposable one). The worst that might happen is that I get thrown off a forum I'm not using. Sites that *matter* — banking, email, anything that needs my credit card details and so on — get strong passwords generated by keepass (unless they won't actually *allow* strong passwords, in which case I try not to use them). But I've given keepass a long complex password, so it would be a nuisance having to go into it for every insignificant web site.
"And what if someone hacks into the password vault?"
Continuing with the "what if" theme, what if your complex password gets intercepted? All it takes is one successful man in the middle attack, and you're boned.
Some time ago I realized that it was simply foolhardy to use a single password for multiple sites. There's no way I can remember a different password for every site, so I started using KeePassX, and began the gradual process of setting a unique password for every site I visit.
By now, any site I’ve visited within the last couple of years has its own password, and all the passwords are stored in a key file. The key file is protected by a VERY complex password, and the password entry field is demonstrably immune to keylogging.
Besides, no one else has access to my computers. The likelihood that someone is going to hack into any key file is small enough that I don't worry about it. That wasn't true when I was using a single password for every site I visit, which is why I discontinued that worrisome practice.
I'm a little guilty of this. A lot of sites make me log in, but aren't all that crucial to me (tracking exercise, tracking carpooling, news sites or blogs that let me leave comments, etc.). I use the same password for a lot of these sites.
If somebody figures out the password I use for all these sites, they could enter data or post comments using my account, but I don't see a lot of harm in that.
I use distinct passwords for banking, email, social networking, etc. because somebody could do a lot of harm if somebody used them.
The password problem is a tough nut to crack. On one hand, you could use a different password for every site you frequent – but this is horribly inconvenient and users won't abide. On the other hand, you could just use the same insanely strong password across all of your online identities, and while it would be harder to crack, as soon as one of those sites' credential database is hacked, you're completely exposed.
The answer to the password problem is not passwords – instead you should supplement your password with a second factor (2FA). Of course, 2FA is a pain in the ass and most 2FA solutions (Google Authenticator, PINs texted to your phone, etc.) are still susceptible to man in the middle and man in the browser attacks. The real solution must go beyond the security of traditional 2FA and deliver a user experience that doesn't modify consumer behavior. If you can do that, then you can actually solve the password problem.
www.toopher.com
We're always interested in constructive questions and feedback.
Thanks,
JDA
People who use the same password for "most" website are probably distinguishing intelligently between sites they care a lot about (bank accounts, etc) and less important sites (e.g. espn). You have to evaluate the cost (time, inconvenience etc.) of lots of hard to remember passwords against the potential cost of a compromised password. Password management software also has a cost too–especially if you work on lots of different machines in different locations with different operating systems.
The technique I use myself I've been using to generate passwords for 20 years (right after taking my first information security course) and I've yet to either re-use a password in any of the thousands of places that have required them, or forget a password for any of these places. I've had to create a few variations to deal with compromised sites that need new passwords, or places that require passwords to change on a regular basis, but context still works for both of these — and the end result is that I can always figure out an old password in less than 4 attempts, and can generate these on the fly in my head.
The bigger risk, to me, is "password recovery" systems used by websites and service providers: you should also ensure that you never use the same answers on multiple sites, and that you never provide information that can be discovered via other means.
The best way to accomplish this in my opinion is to just choose a random challenge question, but have the answer totally unrelated; use the same context-based method used for password generation to generate your challenge response. So, for a question such as "What is your mother's maiden name?" you could put a response of "618332337485636199365343209623" (see if you can spot what I did there). That way, all your responses differ, and none give away personal information that could be used against you elsewhere.
Does your system work when the site places onerous restrictions on the password that can be used? I had to use a site recently that required that the password be between 6 and 8 characters long (far too short for a secure password, in my opinion), had to contain at least one lower case character, at least one upper case character, at least one digit and at least one character from a very small set of special characters. I reckon those restrictions lower security still further, by reducing the search space for crackers and making sure that the password will not be memorable so it will have to be written down. Fortunately keepass lets me set those rules for its password generator, so it's "written down" in a secure place, but I'd be interested to know a human password generation technique that would deal with cases like that.
Yes; my system does work in such cases. Of course, back when I started using it, the restrictions you describe were the standard, so generating such a password became the core of my overall password.
Here's one "simple" way to generate such a password:
Take a memorable phrase, poem, or out of date trivia (old street address, lyric from a song, something that sticks in your head). This will never be written down anywhere.
Second, take some context from what you're generating the password for: online, the site's TLD usually works well.
Third, take a collection of non-standard characters; punctuation as found at the top of a qwerty keyboard often works well.
Fourth, take another unforgettable phrase.
Now, using these factors, you can generate an easy to remember password (might need to write things down to work it out the first few times, but repetition gets this process into your head pretty fast, as you're using it for ALL passwords).
Let's build a password:
Take the TLD or other context word, and count the number of letters. Or, add the numeric value of the first and last letter together, or do some other manipulation on the word that gives you a numeric value.
Count that many characters into your first memorable phrase, and type the first three letters as the first letters of your password. Make the letters a combination of upper and lowercase that you will always use. Cuts down on the keyspace, but makes remembering passwords much easier.
Next, find the numeric key that is above the first letter of your context word and type that in. For sites that don't allow numbers, just shift down to the top line of your keyboard and type that instead.
Next, do the same with the numeric key that is above the last letter of your context word.
Next, choose a way of selecting a punctuation key; on many keyboards they're above a number, and you've already generated a few number combinations, so you can pick one of those to select your punctuation key.
That's the hard part. It gives you a 6-character string that you should be able to generate on the fly and should be relatively unique. This should be usable as the basis of almost any password policy, no matter how restrictive.
Next recall your second phrase from above. If you have password length restrictions, just start with your 5-character string and then start typing the phrase at the end until you hit the max length. If you have no restrictions, find an appropriate place to insert the 5-character string in the phrase, and type away.
The one other thing to do here (and it's a really good idea to do this) is to provide some layer of obfuscation against cleartext analysis. The simplest thing to do is to shift your fingers on the keyboard while typing your phrase — either left or right or up or down, or a combination of these. If you touch type, this becomes really easy, as you can still type as usual, but the resulting words don't make sense. It won't stand up to any crypto analysis, but it also won't stand out like a sore thumb (and the 6 characters will still protect from any but the most determined attempts to crack your other passwords, even if the attacker read my post here).
Using this method, I could take the following:
memorable 1: "cryptographyisdifficult"
memorable 2: "row your boat gently down the stream"
context: "nakedsecurity" (13 characters, first n, last y)
The resulting passphrase could look like:
iSd66#tpe upit npsy hrmy;u fpem yjr dytrs,
If you have to create a new password, say every 6 months, there are a number of ways you can incorporate this. The simplest is to append the the start date or expiry date (expiry recommended as you may not recall when you started using the password, but you'll get prompted when it's going to expire) to the passphrase, but this defeats almost all added security you'd gain. Instead, try doing something like converting the expiry to a number (131, 132, 141 142, etc) and use that to affect your password in some way that's easy to do in your head/on your keyboard, say, using it as character mapping to one of your three keys, or doing a character selection on your keyboard.
The only downside I've found to using this method is that it can become difficult to recall the password on a keyboard layout that you're unused to.
Think of this as a list of guidelines for building your password generator; my method isn't exactly the same as this, and yours should probably be different too — adapt it to something you can remember, but that doesn't decrease the pool of possibilities too much for someone who doesn't know your secret phrases.
I know I'm really boring about this, but the problem is the IT, not the people. Nobody – absolutely nobody (unless they work in IT security) has the space in their head to create and remember dozens of passwords. It's a lot of work to put your passwords into a vault and the banks would probably deny liability if one got hacked.
I live in a remote location where most of my stuff is ordered online. Together with the different workplaces I work which have passwords for access to the building, I've counted and I have 64 different passwords to 'remember'.
It's back over to you guys in IT. Fix it – you broke it by failing to anticipate that everyone involved in e-commerce – from the banks to the people who sell you candy – would start asking for a password.
IT is meant to serve us, not the other way round.
See my responses above — it's not a full solution, but I never write a password down (sometimes I end up writing my password context down if it's not obvious) and I use approximately 15 passwords day-to-day plus thousands of others on a less regular basis (some once every few years). I've had to reset my password roughly 5 times in the past 20 years, and those were for sites that enforced boneheaded randomly-generated usernames/accounts, and I forgot my username.
Hopefully the new trend for two-factor authentication will be a step in the right direction.
I agree with using a password management software. I recommend eWallet for iOS, Android, Mac, Windows. I've used it for years! I use the iPhone and Windows versions. I perform all my entries on my iPhone and they sync wirelessly, in seconds to my PC! I use a lot of custom created Contact cards and with their "Copy Card" function, I don't have to recreate the customization every time. I can simply copy a template I've created or copy an existing card, and I'm done! It even provides a password generator for you, if you wish to use it! eWallet Rocks and it has 256bit AES encryption!
Sophos, can you make a new video on passwords, i have many people tell me that it is too complicated for them to learn anything.
Thanks!
To me, the best way to handle this is for web sites to allow a PASS PHRASE. This is a complete sentence, obviously would need to be limited in length, but would also contain punctuation and spaces. Could also allow numbers and capital letters since sentences normally begin with capitals unless your name is ee cummings. An example could be: " If I call my dog, he comes. The cat, no way. " Or " I love 1968 Chevelles! " That sort of password would be easy to remember.
It can be worse than the article suggests.
In some cases the operator of site 'X' has open access to the usernames/passwords used on their own site. Knowing that the same people are likely to also be members over on site 'Y' which covers the same area of interest, it is trivial for the dodgy site owner to pop over and start trying logins.
Only (password) scheme I ever saw that stopped all this was for passwords to be randomly generated by the system.
Totally agree with posters above – we are well past the point where ordinary mortals can be expected to manage all this in their heads.
I have been using Last Pass and it generates a unique PW for each account or site. If I am using a computer other than my own or on wifi I use the virtual keyboard so key strokes are not generated for me to log in.
I have hundreds of emails and hundreds of passwords. They are all strong, not in any dictionary, mix alphanumeric and where allowed, symbols, but are easy to remember if you know the common but not obvious thread. Finding two that are sufficiently similar to figure out the underlying transformations would require a lot of luck and persistence. I am sure that given enough leaks, someone could do it if they really wanted to, but they could probably hack an awful lot of other accounts in the time it would take, so they are more likely to do that.
Two questions coming to mind….
1. What if the computer breaks (thinking of password managers) ?
2. What if someone's connecting thru facebook on most sites (and thus making use of the same login on each of them) ?
Another question…
3. What if the person who has memorized the passwords dies?
Now that passworded accounts have been in regular use for a number of years, this is becoming an actual issue.
And, making these issues far worse, a lot of applications and some sites don't allow paste in password fields. How can anybody use a good, mixed-character, without the convenience of being able to copy it from a password manager?
This is just outrageous!
I'd be interested in a thorough review of the various vault products. I used to use eWallet, but they flat out abandoned android users. (They may have since remedied that). I like b-folders, but I have no way to tell how secure they are.
I don’t see how someone who knows my password on a service X will know what services Y and Z I use.My *super* accounts GMail,Outlook and Facebook are all protected by different secure passwords.All other services are linked to either of those.Suppose I signed up for service ‘A’ through GMail and used a password ‘mysimplepassword’ for the a/c,and signed up for another service ‘B’ with the same password,what are the odds that the attacker if lays hands on the weak service ‘A’ will get to know the service ‘B’ I am using ? Keep your primary E-Mail ID safe and all other logins should be safe if not will.