The month of June is turning into a very bad month for password security. Last week three major sites – Linkedin, eHarmony, and last.fm – all suffered from major leaks that put millions of user passwords online. Earlier this week, it was revealed that the game League of Legends has also suffered its own flaw which put customer data – including passwords – out into the open.
What have we learned about password security from these incidents? That people are still using woefully insecure passwords. Too many people are still using frightfully short passwords like 1234, or words that are too short/guessable (examples would be job or linkedin). Even some too-clever-at-first-glance passwords were cracked (name-and-site combinations like davidlinkedin and boblinkedin were found; site-related puns like leakedin and linkedout were part of the list as well).
Attackers now have overwhelming amounts of computing power at their disposal thanks to GPUs, which can be trivially repurposed towards conducting brute-force attacks. This makes securely storing passwords a lively topic of debate that involves both security researchers and IT administrators. However, this is something that users have no control over.
What users can do is improve the passwords they are using. Here’s our advice for how to do just that:
- Phrases, not words.Having a longer password is an essential part of improving user passwords. Ten to twelve characters is a good start; for your most sensitive sites (like banks) longer passwords should be considered.Of course, if your passwords are really that long you should be using passphrases, not passwords. Overly long words like supercalifragilisticexpialidocious may be a bit… difficult to remember accurately. Wrong spelling is likely to result. Pick completely random (even nonsensical) phrases that you can remember in some… creative and personal way and stay away from potential passphrases that are “in the wild” like movies and other parts of today’s pop culture. For example, ZombiesWantBrains would probably not be a good password. A more suitable passphrase, as it is more random, is ComputerSwimmingMelonLamp.
- Recycling is good. Except for passwords. Whatever you do, don’t recycle passwords. At the very least, a cracked password is likely to be added to the list of “known” passwords that would-be attackers would try first. If the user’s log-in name was compromised as well, then the attacker would be able to have a user name+password combination that is sure to be used elsewhere. In short: don’t recycle the same password across multiple sites.
Of course, these tips are fundamentally based around the limitations of the most people’s ability remember passwords. Password managers such as DirectPass can also help in reducing the burden on users by storing the passwords for them; in addition by storing the passwords in the cloud these become accessible across multiple devices, whether they be PCs, smartphones, or tablets.