The password myth : Why passwords aren’t keeping us safe and can we fix our security systems

Bill Gates declared the password dead in 2004.

Why the password is a myth

The notion of a password being sufficient in itself needs to go into the myth bin. A staggering 76% of data breaches are caused by weak passwords. More often than not, an account is easily hacked because of a ridiculously easy password or the same password being used across multiple systems. Even when forced to use upper- and lower-case letters, numbers, and symbols to make our passwords “safe”, we use predictable patterns. We tend to capitalize the first letter, use a common word as the seed and add a number (probably 1 or 2) or one of the common symbols at the end (~, !, @, #, $, %, &, ?) We even know that women tend to use personal names, and men hobbies!

First data breach happened immediately after the first password

Most geeks agree that the first password came from MIT’s Compatible Time-Sharing System in the 1960’s. This system launched computing as we know it : e-mail, instant messaging, file sharing – and date breaches. Twenty-five years after it happened, Allan Scherr, an MIT Ph.D. researcher, confessed to the first password theft. To try and bump up his allotted time on the system, he printed out all of the stored passwords. He shared these with colleagues, leading directly to the first case of internet abuse, as one colleague left “taunting messages” on the bosses’ computer.

The problem with passwords is our brains

The key to cracking passwords is a flaw in our brains, says password expert and cracker Jeremi Gosney. Our minds are simply not suited to creating random combinations of words or letters. Brains seem to be more attuned to memories or pop culture tastes. “If your password is not random, we will crack it,” promises Gosney, who once deciphered 90 percent of more than 16,000 passwords downloaded from the internet in 20 HOURS as part of a contest.
When asked to create a “random” password, most people simply bash the keyboard. One of the most popular passwords in a recent leak of real passwords was “qweasdzxc”. If you find the Q key on your keyboard, you’ll see the obvious pattern. The same applies to 1qaz2wsx, mnbvcxz and other so-called ‘random’ passwords.

If any of these is your password, change it

“123456”, “12345678” and “12345” were in 2015’s top five passwords, according to Splashdata, which uses US and European data breach information to analyse password data. “123456” was, for the fifth year running, the most common password. However, “football”, “monkey” and “starwars” also have a place on the list. Interestingly, “football” moved up three places in 2015, overtaking “baseball”. The top 25 passwords are :

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd

Can people create and remember 14 or 15 random long passwords?

Passwords should ideally be at least 16 characters long, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces. In reality, we end up with a “system that not only is insecure but it’s totally unusable” according to Jeremy Grant, a senior executive advisor with the National Strategy for Trusted Identities in Cyberspace. People tend to lose patience with passwords they can’t recall and use the same one or two passwords for everything.

Passwords worked pretty well during the early years of the web when the cloud didn’t have anything like of data it does now. Wired editor and hacking victim Mat Honan wrote in 2012 : “..the serious hackers were still going after big corporate systems.” The focus of hackers has changed to small business. A 2013 Verizon report found that 62 percent of breach victims were small to mid-size businesses. The lack of IT resources or security expertise makes small businesses honeypots for cyber criminals.

So how do you create a secure password?

• Don’t use the same password for everything. One super-secure password won’t be any good if someone cracks it.
• Take a memorable, unusual sentence like “I am a 10-foot tall purple unicorn” and use the first letter of each word with punctuation: “Iaa10-ftpu”.
• You can grab 12 random words, too: “Pantry duck cotton ballcap tissue airplane snore oar Christmas puddle log charisma.” When placed into a password checker, the 12-word pass phrase above shows that it will take 238,378,158,171,207 quadragintillion years for a brute force attack to crack.
• Use a password manager such as 1Password or LastPass, which can generate secure passwords of up to 24 characters.
• Use two-factor authentication such as Google uses, which will send a text with a code or use an app to verify your log-in.

Passwords are deeply ingrained in our culture. Will an entire generation learn and accept a completely different system of validation, like biometrics ? Maybe not. But we could start better security by using two-factor authentication, which requires a password AND a pin code or app. Multi-factor authentication — a system that would require passwords plus a code obtained via text message plus a fingerprint, or something similar — may be in our future.