- January 10, 2017
Easy to Crack: Today’s Passwords Give Hackers a Pass-ThroughShare this:
Your passwords may be easier to hack than you think. But there’s a learnable art and science to keeping criminals out.
One of the most disrupting events in the surprising 2016 election cycle was the release of troves of political surprises and embarrassments by WikiLeaks, actions some suspect to have been put in motion by the Russian government. Yet more so than the content, the most surprising element revealed in these dumps is the lax security habits seemingly common among our nation’s top officials.
John Podesta, Hillary Clinton’s campaign chairman, became a target of hackers after an aide emailed him his forgotten Apple iCloud password—exposing it to cyberspace. Hackers also breached Podesta’s Gmail account after he fell for a phishing expedition. After receiving an email warning him his password had been compromised, he clicked on a link that took him to a bogus Google login page where he created new credentials.
Podesta joins an ignominious slate of senior government officials and political operatives victimized by hackers over the last several years. Victims include CIA Director John Brennan, former Director of National Intelligence James Clapper, and Republican presidential candidate Mitt Romney.
Exceptionally weak passwords are the culprit in many of these breaches. The Democratic National Committee apparently used passwords such as “obamain08” and “Obama-Biden-2012” at various times. A leaked email appears to show Podesta once used “p@ssw0rd” for authentication. These officials join the tens of millions of people who practically invite hackers into their confidential digital domain with sloppy password routines.
SplashData, a developer of password management software, annually compiles a list of the 25 worst passwords. Topping the list for 2015: “123456,” “password,” “12345678,” and “qwerty.” Other top contenders include “letmein” (No. 19), “login” (No. 20), and “welcome” (No. 11). The good news—if there is any—is that the percentage of people using these bad passwords is shrinking.
But bad habits aren’t. Fifty-nine percent of people use the same password over multiple domains. And while many digital sites require users to create longer passwords, many comply by using easily discernable keyboard patterns. These include “1qaz2wsx,” the first two columns of the keyboard, and “qwertyuiop,” the first row of the keyboard.
Digital Muscle at the Ramparts
Cheap computing power means passwords are easier than ever to crack. Sophisticated programs can run through character combinations with blinding speed. Hackers even outsource their password-cracking prowess to the cloud. Cracking strategies include dictionary attacks that run through lists of millions of words. Brute attacks cycle through letters, numbers, and special characters one at a time. These attacks attempt all combinations, building to increasing lengths until the password is found.
Users can secure their data by using longer, more complex passwords. Adding just one uppercase character and one special character to an eight-character password can change cracking times from days to centuries. But the problem with complex passwords is that people can’t remember them. What to do?
Avoid the Crack Attack
Security experts highlight a number of password dos and don’ts:
- Don’t use words
- Do use easy to remember phrases (a rhyme) shortened to long acronym strings
- Don’t use personal information such as names, birthdays, schools, mascots, or birthplaces
- Do insert numbers or special characters to represent letters
- Don’t use characters conforming to keyboard or numeric pad patterns
- Do insert random uppercase letters
Security professionals also recommend password managers such as LastPass, Keeper, and 1Password to create, store, track, and fill in complex passwords without having to remember them. Yet the real solution may be to ditch passwords entirely in favor of multifactor authentication. Chipmaker Intel has a chipset that uses fingerprint and second-factor phone proximity checks as login credentials. Microsoft Windows Hello allows users to sign in with biometric authentication using facial or fingerprint recognition. But until these technologies are widespread, keep your password wits about you.