It’s that tingling after our fingers auto-type the “unbreakable code” we’ve auto-typed thousands and thousands of times before. It’s that internal gnawing every time another news story breaks about a high-profile hack. It’s that bubbling worry whenever a website’s password-power indicator light remains on yellow, despite throwing all sorts of numbers and upper-case letters in there.
Our passwords are not powerful enough. It’s only a matter of time before we get hacked.
The conventional wisdom—which, mind you, no security experts I spoke to agree with—is, if you want to stay safe, change your passwords once every few months. That is, all your passwords. This means your email account(s), your bank account(s), your credit card(s), your various avataristic expressions of self contained in the social media of the day—yes, even the ones you don’t use anymore (oh hey there, Myspace). Ever buy something on Etsy, or Amazon, or your neighborhood pizza place? Ever use Paypal to complete any transaction? Yeah, all those too.
The problem with this, of course, is that changing dozens and dozens of passwords on a semi-regular basis isn’t feasible for anyone who also wants to spend their life doing things like drinking beer or creating art or spending time with loved ones. Is there a way to solve this problem?
I asked a few friends in the tech industry about their password-changing habits. Each told me they have instructions from their companies on how often they must change their passwords, in many cases with requests being enforced by a system which locks them out and forces them to come up with a new password every (x) amount of days. To accomplish this goal without going crazy, they use variations of the same basic password when they switch them (for example: Hello12345 turns into Hello123456). This is essentially what I do.
Some of my passwords have numbers, some have upper- and lower-case letters, some have symbols, but they’re in the same family tree. If I forget one—something I do pretty often—I go through the motions and, more often than not, strike the right one before the website’s security system locks me out. When that doesn’t work, I swallow hard and undertake the shameful “Forgot Your Password?” click. One thing I don’t do, however, is change my password. But maybe that’s not the worst thing in the world?
“I’ve seen [being asked to change your password] every month, and that’s just stupid,” says Bruce Schneier, a privacy specialist that’s been blogging about security issues since 2004, before launching into a litany of rhetorical questions. “How does changing it help? How does changing it solve that problem? What is the threat, what is the attack?” Rather than demand answers, Schneier’s questions illustrate a larger point: “How does changing your password help?”
It’s important to consider the implication that comes with the directive that you should change your password: That your password is weak.
“The essential reason you change your password is that it limits the long-term use of your stolen password,” Schneier says. Changing your password shrinks the amount of time it can be used before you realize it has been stolen. However, in most cases, users are made aware pretty quickly that their password has been compromised, so constantly changing it makes little sense. “If I steal your bank account password, you’re going to find out when I withdraw money from your account,” Schneier says. “There’s no situation where you’re going to keep stealing money and I’m not going to notice.”
When you’re asked to change a password, you shouldn’t automatically do it just because there’s some nebulous threat lurking in the Internet’s shadows. By doing that, you’re actually doing more harm than good in terms of security. “If you change your password all the time, it increases the likelihood you’re going to choose a lousy one,” Schneier says. “And because you have to change it quickly, it increases the likelihood you’re going to re-use them across different domains.”
“Choose a good password and don’t change it.”
Before we detail what is good, it’s worth pointing out what is bad:
[A]ccording to an analysis of cracked Ashley Madison passwords, more than 100,000 users opted to make their site password the following six-digit string: “123456.”
Rather than marveling at the gumption of the people who believed a password like that was an adequate-enough firewall for their extramarital activity, let’s focus on why this wasn’t a powerful password. See, it’s not kids with all styles and colors of hair hacking into accounts from their parents’ basements anymore. (Not that the above would’ve kept them out.) It’s computers doing the dirty work. And for good reason: Computers are great at breaking into computers.
Hacking is a numbers game. On one hand is the specific combination of keystrokes that constitute the target password. On the other is this other pesky element called “time.” A computer can’t (yet!) go through all of the possible combinations in a relatively reasonable amount of time, so hackers have to create a hierarchy to winnow down the possibilities. The first, obviously, is the list of the most commonly used passwords. The second is the usual combination of “roots plus appendages,” a password that consists of a word followed by numbers or symbols. (For the words, the computer programs use a variety of dictionaries; for symbols, they use things like dates and common two-digit patterns.)
There’s a reason hacking programs go through these first: Most passwords resemble them. It’s also why advice from the webcomic XKCD is so often cited as the way to stop brute-force hacker attacks. In short, it suggests forgetting about those cute words spelled with zeros instead of O’s and ones instead of I’s, and, instead, just using random words. (That said, the comic was from 2011, and hackers have now learned how to get around the comic’s specific advice of using four random words.) The advice of “randomizing” is important, since any personal information in your password is probably stored on your computer, and thusly, is accessible:
A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages. If it can, the guesser will index the target hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved an e-mail with your password, or kept it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it.
The problem is, how can you memorize something that’s completely random? The answer: You don’t.
Password managers solve this issue. They are programs that store your passwords with password protection. (Schneier wrote a free program called Password Safe that also generates tough-to-crack passwords.) Many of them not only allow a copy-and-paste function so you don’t have to go through the annoyance of filling in those weird strands of digits every time, but also actually auto-fill your password for the intended website, saving you from that step altogether.
Of course, having all of your passwords in one location on your computer, guarded by a single password, may leave some folks feeling more anxious. In that case, the solution is a little more low-tech.
“We have two mechanisms for [remembering a randomized password],” Schneier says. “You can write it on a piece of paper, and you can store them. As a society, we’re really good at storing valuable small pieces of paper. We have things called wallets. Write your passwords down, put them in your wallet, keep them in there.”
