In 2009 a list of 32 million plain text passwords was exposed for the online games service RockYou.com.
So what? You probably weren’t signed up to RockYou.com, so why should you care?
It should go without saying that your passwords are valuable to criminals, either directly for identity theft, or as part of a large collection of compromised accounts that can be misused en masse in more subtle ways.
OK, but these were other people’s passwords, so why is it a problem?
Firstly, this huge list helps password crackers to guess what kinds of passwords people use. Secondly it showed that most people’s passwords are rubbish. By rubbish I mean that they can easily be cracked. Most of the passwords were short, contained common words and many them were not unique, meaning that they were so obvious that more than one person had chosen the exact same password.
Other leaks involving high-profile sites like Yahoo! and LinkedIn contained “hashed” passwords. These can only be transformed into plain-text by repeatedly trying possible passwords. A human wouldn’t get very far with this, but computers excel at the task. What’s more, password cracking technology has been advancing apace, with expensive, yet home-made, machines able to try 6.2 billion passwords a second. This kind of “brute-force” approach resulted in many of those leaked hashed passwords being cracked, leaving the accounts at the mercy of the crackers.
Worse, many LinkedIn and Yahoo! users had been using the same password on multiple sites, meaning that when the leak occurred they had to hurriedly change all their passwords.
What can a careful Internet user do?
We can’t control the security measures used by all the websites and services we use. In most cases we probably can’t even assess if their procedures are good enough.
What we can do is limit the potential damage. There are a few ways to do this:
- Use a unique password for every website you visit.
- Use strong passwords that are difficult to guess, even with powerful computers.
- Change passwords if you think yours might have been compromised, e.g.: after using any untrusted networks (wireless or otherwise).
A strong password:
- Is at least ten characters long
- Contains only a randomly-generated combination of mixed-case letters, numbers and punctuation. (If you need to enter the password on a smart phone, it may be best to make it a little longer, but avoid some punctuation like curly brackets).
More advice on good passwords from McAfee.
But strong passwords are hard to remember!
If remembering lots of really tough passwords sounds a bit of a pain, I have some suggestions to make it easier.
Firstly there are a number of free applications available which make creating and storing your passwords simple and secure.
For example, KeePassX will run on Windows, MacOS X, Linux or a smart phone. When visiting a website you can simple copy and paste your unique, long, super-secure password from your encrypted KeePassX database into the website without having to remember it. I also use it to store personal details like my National Insurance and passport numbers.
You’ll need to take the small file with you or have it shared on a cloud-service such as Dropbox. Remember that this file is encrypted, so while you shouldn’t make it public, it will still be pretty secure should ne’er-do-wells get hold of it.
Your encrypted database can be secured in a number of ways. Firstly, a key file (perhaps kept on a USB stick or CD), a really strong password, or both.
So you still need to employ the grey cells to keep your information safe. Yes, but remembering one strong password is easier than remembering fifty. If you still find this impossible, it’s probably better to write it down somewhere inconspicuous rather than resort to a weak password you can remember. Most password cracking attempts come from online sources rather than the people around you.
So writing 9.-Xhd5u@y in the back of your diary is probably more secure than having Bicycle2 only in your head.
An alternative to passwords
If that still sounds too hard, you may appreciate the suggestion of the sometimes-serious webcomic XKCD, which suggested “pass-phrases”. Four randomly-chosen words are easier to remember and harder for a computer to guess than a medium-length string of random characters. XKCD’s example was:
correct horse battery staple
But as long as the words really are random, it’s a good pass-phrase. So no song lyrics or famous quotes! You can bet they’ll be in the crackers’ lists.
After what I’ve read on this subject I’m in the process of improving all my passwords. I encourage you to do the same!