Even Mark Zuckerberg has a crap password. What hope have we mere mortals?
Chances are, you’re using the same password for multiple online accounts — or maybe recycling two or three that are easy to remember. You’re only human, and even superhumans are known to commit grave password crimes.
This week Facebook chief executive Mark Zuckerberg was caught out not only using a very weak password for social media logins, but using it across multiple accounts (though not Facebook).
His password — don’t laugh, it’s “dadada” — is believed to be among millions that were leaked by hackers online following a massive breach of LinkedIn.
Zuckerberg should have known better. And no doubt he did.
Why is it that we continue to ignore best practice in the face of rising hack attacks and online identity fraud?
‘Crazy’ number of logins
The answer is likely in the increasing number of online accounts we need just to go about our daily lives — from social media profiles to banking, email, subscription services, websites (many of which you’ll never visit again) and more.
“It’s completely going crazy … it’s gone mad,” says Asha Rao, associate professor of information security at RMIT.
“Almost every website you visit, if you want any kind of info, they ask you to sign up.”
Estimates of how many accounts the average person has vary; but what’s clear is the number is growing.
In 2007 Microsoft put the figure at 25, with people recycling the same six or so passwords across accounts.
Fast-forward nearly a decade, and Dashlane (which, yes, makes a password management app) reckons today we each have upwards of 100 accounts. Its data suggests the number of accounts we have doubles every five years. Yikes.
Convenience versus security
“From my experience, the sheer burden of remembering passwords and the frequency we need to input them drives simpler and weaker passwords,” says Linus Information Security Solutions’ Mike Thompson. He has more than 170 passwords himself.
In the face of such password fatigue, Thompson says, “each person is running their own personal risk model”.
Busier people – people like Zuckerberg – are likely to be worse at password protection as convenience takes preference.
The other major factor driving poor password protection is what Thompson calls “‘It hasn’t happened to me’ syndrome”.
“I have seen this [lax] behaviour with everything from health to insurance, alarm systems and more,” Thompson says.
“People simply don’t place importance on issues until it becomes real to them. Until their password is actually hacked, it will never be a priority.”
The risk equation
Hackers today have sophisticated software at their disposal to use in “brute force” attacks. A computer algorithm can throw billions of possible password combinations per second at a victim’s account. The shorter and simpler a password, the quicker it will be cracked.
We all know the rules by now: make your password long; use a combination of numbers, special characters and upper and lower case letters; use a different password for every account. Thompson recommends a minimum of 12 characters for a strong password.
While recycling passwords for multiple accounts makes it easier to remember them, the risk here is that if one account is compromised, the rest are too. That’s especially bad news if one of your accounts contains sensitive information.
Beyond the password
With even the most informed of us erring on the side of convenience, tech companies are looking at new ways to protect accounts.
Google will trial using a mix of biometric indicators (things like face and voice recognition) and other weaker credentials which together create strong authentication. Others are exploring the use of emoji.
Phil Vasic, Australia New Zealand country manager at security firm FireEye, says there are various market limitations – including increased costs – to widespread adoption of biometrics. There is also an inherent risk if someone gets their hands on your biometric data. Short of a hefty plastic surgery bill, unlike a password, you can’t change it.
Top password security tips
Vasic says there’s “no silver bullet” for good password security versus convenience, but we asked our experts for their best tips.
- Rao writes down complex passwords on paper and keeps them in a locked draw in her desk. For sites she doesn’t visit very often, she’ll use a strong password and forget about it. If she needs to log in again she’ll request a password reset from the site.
- Thompson uses a password manager, but recommends avoiding cloud-based systems. He acknowledges the risk that if the password manager is hacked, all connected accounts may be compromised.
- Vasic stays abreast of any high-profile security breaches of sites he uses, changing his passwords straight away if affected. He refreshes his personal passwords on a 60 to 90 cycle just in case.
- Wade Alcorn, managing director of security firm Alcorn Group, always uses two-factor authentication (when a site sends you a code when you log in), if it’s offered.
Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.