{"id":9095,"date":"2017-05-03T05:33:03","date_gmt":"2017-05-03T05:33:03","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=9095"},"modified":"2017-05-04T05:35:02","modified_gmt":"2017-05-04T05:35:02","slug":"why-we-choose-terrible-passwords-and-how-to-fix-them","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/why-we-choose-terrible-passwords-and-how-to-fix-them\/","title":{"rendered":"Why we choose terrible passwords, and how to fix them"},"content":{"rendered":"

Megan Squire<\/a>, Elon University<\/a><\/em><\/span><\/p>\n

The first Thursday in May is World Password Day, but don\u2019t buy a cake or send cards. Computer chip maker Intel created the event<\/a> as an annual reminder that, for most of us, our password habits are nothing to celebrate. Instead, they \u2013 and computer professionals like me \u2013 hope we will use this day to say our final goodbyes to \u201cqwerty\u201d and \u201c123456,\u201d which are still the most popular passwords<\/a>. \"The<\/p>\n

The problem with short, predictable passwords<\/h2>\n

The purpose of a password is to limit access to information. Having a very common or simple one like \u201cabcdef\u201d or \u201cletmein,\u201d or even normal words like \u201cpassword\u201d or \u201cdragon,\u201d is barely any security at all, like closing a door but not actually locking it.<\/p>\n

Hackers\u2019 password cracking tools<\/a> take advantage of this lack of creativity. When hackers find \u2013 or buy<\/a> \u2013 stolen credentials, they will likely find that the passwords have been stored not as the text of the passwords themselves but as unique fingerprints<\/a>, called \u201chashes<\/a>,\u201d of the actual passwords. A hash function mathematically transforms each password into an encoded, fixed-size version of itself. Hashing the same original password will give the same result every time, but it\u2019s computationally nearly impossible to reverse the process, to derive a plaintext password from a specific hash.<\/p>\n

Instead, the cracking software computes the hash values for large numbers of possible passwords and compares the results to the hashed passwords in the stolen file. If any match, the hacker\u2019s in. The first place these programs start is with known hash values for popular passwords.<\/p>\n

More savvy users who choose a less common password might still fall prey to what is called a \u201cdictionary attack.\u201d The cracking software tries each of the 171,000 words<\/a> in the English dictionary. Then the program tries combined words (such as \u201cqwertypassword\u201d), doubled sequences (\u201cqwertyqwerty\u201d), and words followed by numbers (\u201cqwerty123\u201d). <\/p>\n

Moving on to blind guessing<\/h2>\n

Only if the dictionary attack fails will the attacker reluctantly move to what is called a \u201cbrute-force attack,\u201d guessing arbitrary sequences of numbers, letters and characters over and over until one matches. <\/p>\n

Mathematics tells us<\/a> that a longer password is less guessable than a shorter password. That\u2019s true even if the shorter password is made from a larger set of possible characters. <\/p>\n

For example, a six-character password made up of the 95 different symbols on a standard American keyboard yields 956,<\/sup> or 735 billion, possible combinations. That sounds like a lot, but a 10-character password made from only lowercase English characters yields 2610,<\/sup> 141 trillion, options. Of course, a 10-character password from the 95 symbols gives 9510,<\/sup> or 59 quintillion, possibilities.<\/p>\n

That\u2019s why some websites require passwords of certain lengths and with certain numbers of digits and special characters \u2013 they\u2019re designed to thwart the most common dictionary and brute-force attacks. Given enough time and computing power, though, any password is crackable. <\/p>\n

And in any case, humans are terrible at memorizing long, unpredictable sequences<\/a>. We sometimes use mnemonics to help, like the way \u201cEvery Good Boy Does Fine<\/a>\u201d reminds us of the notes indicated by the lines on sheet music. They can also help us remember a password like \u201cfreQ!9tY!juNC,\u201d which at first appears very mixed up.<\/p>\n

Splitting the password<\/a> into three chunks, \u201cfreQ!,\u201d \u201c9tY!\u201d and \u201cjuNC,\u201d reveals what might be remembered as three short, pronounceable words: \u201cfreak,\u201d \u201cninety\u201d and \u201cjunk.\u201d People are better at memorizing passwords that can be chunked<\/a>, either because they find meaning in the chunks or because they can more easily add their own meaning through mnemonics.<\/p>\n

Don\u2019t reuse passwords<\/h2>\n

Suppose we take all this advice to heart and resolve to make all our passwords at least 15 characters long and full of random numbers and letters. We invent clever mnemonic devices, commit a few of our favorites to memory, and start using those same passwords over and over on every website and application. <\/p>\n

At first, this might seem harmless enough. But password-thieving hackers are everywhere. Recently, big companies including Yahoo, Adobe and LinkedIn have all been breached<\/a>. Each of these breaches revealed the usernames and passwords<\/a> for hundreds of millions of accounts. Hackers know that people commonly reuse passwords, so a cracked password on one site could make the same person vulnerable on a different site.<\/p>\n

\n \"\"<\/a>
\n No! Don\u2019t do this!<\/span>
\n designer491 via shutterstock.com<\/a><\/span>
\n <\/figcaption><\/figure>\n

Beyond the password<\/h1>\n

Not only do we need long, unpredictable passwords, but we need different passwords for every site and program we use. The average internet user has 19 different passwords<\/a>. It\u2019s easy to see why people write them down on sticky notes or just click the \u201cI forgot my password\u201d link. <\/p>\n

Software can help! The job of password management software is to take care of generating and remembering unique, hard-to-crack passwords for each website and application.<\/p>\n

Sometimes these programs themselves have vulnerabilities<\/a> that can be exploited by attackers. And some websites block password managers from functioning<\/a>. And of course, an attacker could peek at the keyboard as we type in our passwords.<\/p>\n

Multi-factor authentication<\/a> was invented to solve these problems. This involves a code sent to a mobile phone<\/a>, a fingerprint scan or a special USB hardware token<\/a>. However, even though users know the multi-factor authentication is probably safer<\/a>, they worry it might be more inconvenient or difficult. To make it easier, sites like Authy.com<\/a> provide straightforward guides for enabling multi-factor authentication on popular websites.<\/p>\n

So no more excuses. Let\u2019s put on our party hats and start changing those passwords. World Password Day would be a great time to ditch \u201cqwerty\u201d for good, try out a password manager and turn on multi-factor authentication. Once you\u2019re done, go ahead and have that cake, because you\u2019ll deserve it.<\/p>\n

Megan Squire<\/a>, Professor of Computing Sciences, Elon University<\/a><\/em><\/span><\/p>\n

This article was originally published on The Conversation<\/a>. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Megan Squire, Elon University The first Thursday in May is World Password Day, but don\u2019t buy a cake or send cards. Computer chip maker Intel created the event as an annual reminder that, for most of us, our password habits are nothing to celebrate. Instead, they \u2013 and computer professionals like me \u2013 hope we […]<\/p>\n","protected":false},"author":44,"featured_media":9096,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[971,612,2289,2288,2290,2291],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/9095"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=9095"}],"version-history":[{"count":1,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/9095\/revisions"}],"predecessor-version":[{"id":9097,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/9095\/revisions\/9097"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/9096"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=9095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=9095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=9095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}