I have a theory about passwords. They make us less secure. No really.
The problem is, we tell ourselves we’ll remember them and we are afraid to write them down. But many of us simply don’t remember them. And only some memory prompts are consistently useful anyway. My first car will always be my first car, but I might forget which is my “favourite pet” (because since I answered that question, a beloved pet passed on and a new one reigns). So I end up just changing my password. Keep doing that, and one might attract new spyware…
Obviously, we need passwords. But after all these years of hundreds of millions of people living partly online, some new facts, issues, and proposed solutions are emerging. Some of them are counterintuitive.
As Dan Goodin explains at Ars Technica, we’ve all heard:
Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. …
And it is not feasible in practice, researchers find. For one thing, we have dozens of passwords. But also, the importance of security vs. utility varies widely. We want our bank accounts to be secure, even if we can’t get in ourselves sometimes (at least the money is still safe, just not available this minute).
But what if the Neighbourhood Newz Web site access requires a remake of the epic WWII spy code battle of Bletchley vs. Enigma, just to advertise a spare lawn mower, free to a good home? Chances are, fearing a useless time sink, we won’t bother using the site to tell anyone about it.
Which is too bad because that defeats the purpose of the site. In truth, there would be little consequence if the site was hacked; no one should be putting confidential information there anyway. “Howdy!”would be fine as a password.
That’s not just my opinion; it’s a recent finding,
“So the two staples A1, A2 of password advice appear impossible to meet individually, let alone simultaneously,” the researchers wrote in a paper titled Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. “How do users proceed? They ‘cheat’ on A1 by choosing passwords far weaker than advised.
And, they note, “Snoopy2” would be fine as a password (like Howdy!) if nothing more than a brief kerfuffle would follow if the password were discovered, and had to be changed. Not all information is valuable, widely sought, or unavailable elsewhere.
Goodin puts it like this:
The paper provides mathematical support for a practice some people have long employed—that is, foregoing a strict password regimen across the board. There’s little return on the investment of choosing a strong, unique password to lock down a free New York Times account that does nothing more than let website operators track which stories a visitor is reading. The effort saved is much better put into picking a good password to protect online banking and e-commerce accounts.
It may be worth a whole evening coming up with such password. See the vid below for advice.
On the other hand, so what if the New York Times onsite vendors know the make of the first car you drove? It’s got to be in a registry somewhere anyway if you bought the plates.
All that said, in other news according to PC World, “password” has just been dethroned as the world’s worst password. Jared Newman explains,
“123456” is finally getting some time in the spotlight as the world’s worst password, after spending years in the shadow of “password.”
The worst passwords of 2013 include 111111, admin, letmein, and—more curiously—monkey, princess, and trustno1.
PC World’s Jared Newman advises,
Instead, consider using phrases of random words separated by spaces or underscores, and using different passwords, at least for your most sensitive accounts. Password management programs such as LastPass, KeePass and Splashdata’s own SplashID can also help, as you only have to remember a single master password.
Anyway, don’t be this guy: “This reader mocked Heartbleed, posted his passwords online. Guess what happened next.”
Next: What happened next. And some proposed high biotech solutions.
Some thoughts that might help:
Denyse O’Leary is a Canadian journalist, author, and blogger.