It seems like we hear about a new security breach every few weeks. You don’t have to stay that on top of the news to hear that some company is announcing that it’s been hacked, that customer passwords were compromised, and what the company is doing to make its systems more secure. A few weeks ago, tech journalist Mat Honan announced that his iPhone, MacBook, iCloud, and Amazon accounts were all hacked. Recently, Blizzard Entertainment, the maker of World of Warcraft, announced that its systems had been hacked and told users to change their passwords.
An Old Problem
This isn’t a new problem. In fact, history’s first hacker made a mockery of a purportedly secure wireless telegraph in 1903. It’s certainly been going on since computer systems first began to have user accounts more than 40 years ago. The Internet, and our near total dependence upon it, has simply made it a more widespread issue. In 2008, Countrywide (the mortgage lender) notified me that an employee had compromised thousands of accounts and was selling the data, mine included. The company provided me with a free credit monitoring service and, fortunately, nothing negative ever came of it. In April of 2011, thousands of customer records from Sony’s PlayStation Network were compromised.
How does this happen? It happens because hackers exploit your weaknesses and those of the systems you use.
Choosing a User Name
Let’s start with your side of the equation since you can do something about it. When you create an account somewhere, you choose a user name and a password. To access the account, you have to get both right. Most people don’t think much about the user name since it almost always appears in plain text. But in fact, the user name is equally as important as the password itself. Publish your password on the Internet for everyone to see and it’s useless without your user name. But most people choose a user name that is some combination of their name and/or initials. Joe Smith chooses joe.smith, joesmith, smith or smithj, for example. There are only a handful of different options to choose from when you use your name. And since they all come from your name, they are the easiest thing for a hacker to guess. Choose a user name that has nothing to do with you, and you make it much harder to hack.
Choosing a Password
Of course you also have to provide a password. And all too often people choose something obvious: one of their kids’ names, the name of a pet, an old phone number, or street address. People frequently choose information that is easily available on the Internet, making such passwords simple for a hacker to deduce. For example, you can use ZabaSearch.com to find current and past addresses for just about anyone in the United States. Another option is choosing a random word, but this is also problematic. Hackers can use lists of words and automate the process of trying each word until they get a hit. In fact, there’s a database of 10,000 commonly used passwords that I have no doubt are among the first passwords hackers try. If you are going to use a word, make sure it’s one that isn’t associated with you and would not be found in the dictionary.
Some people use a single password for every system. The obvious problem with this is that, once compromised, all systems accessed are then compromised. Then you have to remember to visit all of those systems to change your password again. A single password is easy to remember, but is not very secure.
Remembering Your Password
Passwords need to be relatively easy to remember. A recent Wired article suggested that systems should use pictures rather than text for passwords since our brains are hard-wired to recognize faces. That’s an interesting idea. I was looking at a grade school class picture on the Internet that an old classmate posted. Even though each person’s face was made up of only 100 pixels or less, I could identify my best friend. The trouble is, you can only show so many faces. It wouldn’t be reasonable to expect a user to scan a hundred faces and you’d have to show them at least that many to make it secure. And what if someone is looking over the user’s shoulder? There would be no way for the user to hide the fact that they chose a particular picture. At least with text, the characters can be masked as they are typed.
In terms of security, the longer a password is, the better. But how do you come up with a really long password that you can also remember? You could use a password generator that creates a long random string of numbers and characters, but n3aefam392msee55 is difficult to remember. One of the members of my team made a great suggestion: use a sentence. Sentences can be long and are easier to remember. And since the brain is associative, you can choose a sentence that is associated with the company or service for which you are creating the password. Even better would be to personalize the sentence; “I use Google every day” is not as secure as “I first used Google in 2001.” That’s a 22-character password, which would be very strong and easy to remember as a password for your Google account. Obviously, I wouldn’t recommend using that one, but I think you see my point.
There are solutions to remembering your user names and passwords. You could write them all down on a piece of paper that you keep in a desk drawer like one person I know. You could use a password database that is, itself, password-protected. Mac OS X has a nice feature called the Keychain. It stores your passwords in a database that is encrypted with your Mac login password. I use 1Password from AgileBits. It runs on OS X, iPhone, iPad, Windows, and Android, and it syncs across all of them, making it easy to keep passwords close at hand. It also has a nice browser extension, making it easy to fill in user name and password fields automatically.
These systems all have a single point of failure, though. If someone gets access to your desk drawer or gets into your password database or gets your Mac login password, they have access to all of your passwords. But unless you are going to remember every password (and, certainly, using sentences would make it much easier), there’s likely to be a single point of failure in any system the average person is willing to use.
The Wired article correctly pointed out that people view their accounts being hacked as “Black Swan” events, meaning that they think it’s unlikely to happen. And they are right. But if it does, the damage can be anywhere from minimal to irreparable. You could drive your car for decades and never be involved in a car accident, but if you are, you’d better be wearing your seatbelt. It’s the same idea.
The solution is to find a good compromise. First, use sentences as you have a good shot at remembering them without having to use a password database. And second, use a secure password database so that when you can’t remember one, you have a place to look. Finally, use a unique sentence as the password for your password database and change it once a year.
The Problems with Existing Security Systems
Ironically, many security systems don’t actually make it very easy for you to create and maintain a secure password. Here’s a partial list of problems — some of which I’m sure you’ve encountered before:
- They don’t mask the password as you enter it.
- They require passwords to have a specific amount of numbers and other special characters in them, making them hard to remember.
- They set a low number (say 16) as their maximum password length. This can make using a sentence more difficult. And there’s really no good excuse for having a maximum character count for a password.
- They don’t allow spaces. That’s silly, because a space is as valid a character as anything else and allowing them makes using sentences easier. If you use a sentence, just leave out the spaces.
- They make you change your password too frequently. This results in users changing just one character of their password to avoid the hassle of coming up with a completely new one or rotating through a small set of easy-to-remember passwords.
- They email your user name and password after you create your account. Folks, email is not a secure way to communicate! A system that emails your password to you is not secure.
- They email you a link to set up or reset your password without an expiration date. Anyone who gets that link can reset your password to whatever they want.
- The security questions they provide for resetting your password are often those with answers that are easy to find. What is your mother’s maiden name? What elementary school did you attend? What was the name of your first pet? These are all questions that could be easily answered with a minimal amount of searching. A good solution for this is to provide false answers to these questions, and then store those in your password database.
- They use the last four digits of your Social Security number as verification. How many times have you been asked for this? It would be very easy for anyone to get these numbers and, at that point, they can masquerade as you on any system that uses them for verification.
When you encounter sites with problems like these, I encourage you to take a moment to find the “Contact Us” page and notify them. The more often they hear from their users, the more likely they are to improve security.
It’s important to point out that there is an analog component to these security issues, as well. The hacker that caused Mat Honan so much grief was able to convince an Apple customer service representative that he was Mat Honan. Companies should take this opportunity to learn from this cautionary tale.
I’m not a security expert, but the state of Internet security is so bad that applying the smallest measurable amount of common sense reveals a multitude of security problems. As I said earlier, you will probably never be the victim of a hacker. And even if you are, there may be no damage. After all, the more accounts a hacker uses for personal gain, the easier the hacker is to catch or shut out. But if it does happen, you will realize that the effort required to be more secure is not cumbersome.
So do yourself a favor and be proactive. Use a password database. Of course you need to keep your devices physically secure, as well. My iPhone requires a passcode and auto-locks after a few minutes. My laptop is set to require my password once the screensaver comes on. I don’t leave my computer without engaging the screensaver for this reason. The small bit of extra effort these mechanisms require is a small price to pay for the security they provide and the damage from which they protect me.
Geoff Perlman is the founder and CEO of Real Software, makers of Real Studio, a cross-platform software development environment for the desktop and the Web. Perlman has written articles that have recently been published in Dr. Dobb’s Journal, VentureBeat, and SD Times.