If there’s one thing that the LinkedIn, eHarmony and now Last.fm hacks have taught us in the past week, it’s that people are really bad at picking secure passwords.
As MSNBC noted, a lot of people used the phrase “link” in their LinkedIn passwords — not exactly a high hurdle for someone intent on cracking your credentials. The second-most popular phrase? “1234.”
I get it. There have been a lot of times when I’ve used a simple password to sign up for a service, just to get through the registration process quickly. And trying to come up with strong passwords is awful. As my Washington Post colleague Alexandra Petri wrote Thursday, password tips are often unhelpful because they offer codes that are impossible to remember.
Last week, I spoke to Chet Wisniewski, senior security adviser for Sophos, about The Washington Post’s poll that found 79 percent of those surveyed used different passwords for online accounts. He said that was encouraging but that the average person shouldn’t stop there.
Most people who use multiple passwords, he said, seem to take a tiered approach: Say, one really secure password that they use for their bank and a throwaway password for quick commenting or blogging services.
What most don’t realize, he said, is that a throwaway password often includes important information that can be used to access a more secure account.
Using your mother’s maiden name or kid’s birthday in your lowest-tier password? Make sure those aren’t the answers to the security questions you need to get into your bank account. Or that they aren’t on your Facebook profile.
What’s important to remember, even if you can’t keep track of a different password for every account, is that you shouldn’t ever use the same password for accounts that you use every day. That means, Facebook and Gmail should have different passwords, which in turn should be different from your LinkedIn, Spotify, Pandora, Twitter or, goodness forbid, your bank. Hackers are unlikely to target you, specifically, but if one of your passwords gets into a major data dump, you’re just opening the door for them if you’re sharing passwords.
Wisniewski said that people should still be creating unique passwords for each account, and that maybe people should think about being a little less truthful on their security questions, as well, just as a precaution. Name, for example, your second car and not your first, or your child’s high school mascot.
I have a whole bunch of tricks that I use to insert numbers, symbols, caps and general confusion into my passwords in a way only I will remember. But with the number of services I subscribe to, I still find myself trying to remember if I replaced that one letter of my first-grade teacher’s last name with a “1” or a “!” or if I opted for a different reference from my past altogether. One tip I do like: Pick something personal, and type it shifted one key to the right. Even that, though, will become less secure if people still use the same common passwords — like “password” — and people begin trying “[sddeptf” to hack your accounts, too.
In any case, everyone should be extra wary of strange e-mails — particularly those with attachments and external links — since fake “phishing” messages will likely be on the rise.