National Edition

Secret security: The only password you'll ever need

Published: Thursday, Feb. 6 2014 4:00 a.m. MST

As major database breaches expose millions of emails and passwords, there are simple ways to make passwords easier and more secure.

Thinkstock

Among the 153 million user accounts hacked at adobe.com in Oct. 2013 were three belonging to Troy Hunt.

As his website about security breaches, haveibeenpwned.com, says, those Adobe accounts included usernames, email addresses and password hints. The accounts' passwords were not encrypted very well by Adobe and many were cracked by the hackers and posted on the Internet. The password hints were not encrypted at all.

Hunt, who is a security researcher in Sydney says the attacks should be a timely reminder for people about their online account security.

"We protect a lot of our lives with passwords," he says. "It is one of things we deal with every day."

When Hunt found out about the hack, he changed his passwords and information on adobe.com, a website that integrates with its products such as graphic design Photoshop and Illustrator. Hunt probably beat the hackers before they could decrypt his passwords. Other people, however, had such easy passwords that it took little effort for the hackers to crack them. Passwords such as "123456," "password" and "qwerty," for example, didn't offer much resistance.

A survey by U.K.-based data company Varonis found that 91 percent of people assume that businesses are protecting their data — even though 93 percent of large organizations and 87 percent of small businesses reported some level of data breaches in 2013.

Just last week, Yahoo reported that hackers used information, probably from an outside source, to access the emails and passwords of many Yahoo email users.

Julia Angwin, senior writer at ProPublica, says people are beginning to realize they need to be more sophisticated about their passwords. "People are not trying hard enough to make their passwords hard to crack," says Angwin, who is the author of the forthcoming book, "Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance."

At stake is everything people have online. Personal information. Banking accounts. Shopping accounts such as Amazon or eBay.

Angwin, who lives in Harlem, N.Y., says email is the most critical item. "It can be the key to unlocking all your other online accounts," she says. "Email is even more important than banks because banks can give fraud protection."

Hunt says he has about 300 different online accounts and as many passwords. The majority of people (54 percent) say they only have one to five passwords they use.

The problem is, according to a survey by identity protection company CSID, 61 percent of people reuse their passwords for multiple sites — making it even easier for hackers who hack one password to gain access to several online accounts.

One password

Hunt, the guy with 300 passwords, describes the perfect password as something that is against the norm. "You need long, random and unique passwords across every one of your online assets," he says.

This means no duplicates.

This also means a big problem.

"As soon as you say it has to be unique, it is not something you can really commit to memory," he says.

And writing passwords down where they can be accessed easily or putting them in a Word document on a computer is not a good idea.

Hunt's solution is to use a password manager — a software program that stores each website's password in an high-level encrypted file that he can access whenever he needs to log onto a website. To open that file, all he needs is to remember one password.

Hunt uses the program 1Password by Agilebits as his password manager. There are many other similar products such as LastPass. Apple products also have an integrated password manager called Keychain Access.

The advantage of programs such as 1Password and LastPass is they can work across both Mac and PC platforms and have many more features.

When 1Password, for example, is installed, it enables users to click on an icon added to a browser to put in a password on a website. It can enter other information as well — including credit card numbers and so forth.

The program also can generate very long, very random passwords for websites that are nearly impossible to memorize. The long password stays in the password manager and can be accessed from other computers and devices. All a person has to do it memorize that one password to access the password manager.

Just don't ever forget that one password.

"It is a paradigm of putting all your eggs in one basket and then watching that basket very carefully," says Hunt.

Angwin also uses a password manager for her passwords. The trick is to come up with a good master password.

Pass phrases

It would make little sense to install a password manager with high encryption and then use a simple master password like "qwerty" or your birthday.

Angwin recommends using what is called a pass phrase, a few short but random words found in a dictionary such as "market gear train pencil." The words can be separated by spaces, or sometimes people will put a numeral or symbols between the words.

The idea, popularized in a XKCD Web cartoon, claims a password such as "Tr0ub4dor&3" is harder to memorize and easier to crack than a pass phrase such as "correct horse battery staple."

Although pass phrases provide better passwords from a security standpoint, one study in the "Proceedings of the Symposium On Usable Privacy and Security" says pass phrases are forgotten at similar rates to regular passwords and took longer to enter.

Two factors

Jeff Atwood, a blogger in El Cerrito, Calif., who co-founded the programmers website stackoverflow.com, is also concerned with password security online, but doesn't use a password manager. Instead he tries to sign onto most websites using his Google account. That way, he says, if other websites are hacked, they do not have his password.

Like Angwin and Hunt, he is mostly concerned about people getting access to things through email. For this reason, he says to use what is called two-factor authentication.

"That is something you know and something you have," he says.

The way it works is the thing you "know" is a password.

The thing you "have" could be your mobile phone. So when you sign into a Web service such as Google, it asks for a password and it also sends a text message with another code you have to enter. This authenticates the computer you are using. If you use another computer, you have to use the two-factor authentication again — something a hacker couldn't do.

Atwood also has a Citibank account, which requires him, in addition to a password, to insert a USB fob into the computer to authenticate it is him accessing the account.

Google and other email and social media websites offer two-factor authentication.

Once Google is secure this way, then it can be used with fewer problems to access other online services. This method is, in a way, similar to using a password manager.

Atwood, however, doesn't worry about less important websites and has a simple password he uses for websites he says he probably will never visit again. Getting access to this password would not divulge any important information — if it would, he wouldn't use it for them.

EMAIL: mdegroote@deseretnews.com

Twitter: @degroote

Facebook: facebook.com/madegroote

Get The Deseret News Everywhere

Subscribe

Mobile

RSS