It was with much interest that I read the post on the GMail blog regarding choosing smart passwords. This was written as a response of sorts to the news that passwords from Hotmail, GMail and other email services were compromised by a phishing attack. Now, GMail needs to post a response like this, but the advice is wasted on consumers. This is what the GMail blog says and my reasons why it will never work for consumers:
Re-using passwords across websites
With a constantly growing list of services that require a password (email, online banking, social networking, and shopping websites — just to name a few), it’s no wonder that many people simply use the same password across a variety of accounts. This is risky: if someone figures out your password for one service, that person could potentially gain access to your private email, address information, and even your money.
Their solution is obvious, use unique passwords for important sites. Why this will never happen? People tend to forget things like passwords. For the important sites, consumers want to ensure they remember the password. When there are “several” sites that are important, the passwords will likely be the same. By using something from the target site as a cue (the blog uses “How much money do I have?” for a banking site) just transfers the difficult task to the cue phrase instead of the password itself. Indirection and abstraction typically introduce complexity, and that is not a good thing.
Using common passwords or words found in the dictionary
Common passwords include simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234.” Using a simple password or any word you can find in the dictionary makes it easier for a would-be hijacker to gain access to your personal information.
This is always good advice, but is commonly ignored. The problem here is that people are inherently lazy or at least want things to be somewhat simple. However, here I will pass the blame to the websites themselves. If the site allows someone to use a password cracking program against one user’s password, then that site is not significantly secure enough to be holding sensitive data. The users cannot be blamed for using “qwerty” as their password, and letting the program attempt 500 unsuccessful logins.
Using passwords based on personal data
We all share information about ourselves with our friends and coworkers. The names of your spouse, children, or pets aren’t usually all that secret, so it doesn’t make sense to use them as your passwords. You should also stay away from birth dates, phone numbers, or addresses.
There is some good advice in their solution, like adding symbols and numbers to your password to make it harder to guess. People will always make the password somewhat personal, so it is hard to avoid that, but the extra characters can limit the vulnerability. However, hackers tend to be a step ahead in the security fight. If you just replace “a” with “@”, you are not really getting secure but just making it a wee bit harder for the hacker. Also, using hacker replacements like “3” for “e” and other little tricks like it are probably already added to the password hackers login attempts. After that point, consumers will probably find it too difficult to create a really strong password.
Writing down your password and storing it in an unsecured place
Some of us have enough online accounts that we may need to write our passwords down somewhere, at least until we’ve learned them well.
If a consumer has followed the advice based on the previous problems, they have some seriously difficult to remember password. So, the consumer will do the next simple thing, put them in a file or a notebook. I agree with the blog advice to avoid a notebook, but having a text file on your computer is not a bad thing. People will say that if someone gains access to your PC they could easily get access to all of your online accounts. This is true, but if someone gets access to your PC, you have already lost the security battle. A strangely named file will not stop the person, as they likely just downloaded all of your non-media files to a USB drive.
Recalling your password
When choosing smart passwords like these, it can often be more difficult to remember your password when you try to sign in to a site you haven’t visited in a while. To get around this problem, many websites will offer you the option to either send a password-reset link to your email address or answer a security question.
The blog’s first piece of advice is critical, “You should always make sure you have an up-to-date email address on file for each account you have, so that if you need to send a password reset email it goes to the right place.” Consumers typically don’t change email providers too often but this is definitely overlooked when the change does occur. However, the general idea of security questions is somewhat flawed when it comes to online accounts. Because there is so much information available it is fairly easy to guess people’s answers to security questions. Generally, consumers will use what they can easily remember, but the blog does add a nice twist:
If you’re asked to choose a question from a list of options, such as the city where you were born, you should be aware that these questions are likely to be less secure. Try to find a way to make your answer unique — you can do this by using some of the tips above, or by creating a convention where you always add a symbol after the 2nd character in the answer (e.g. in@dianapolis) — so that even if someone guesses the answer, they won’t know how to enter it properly.
I know this post sounds like I do not put a lot of faith in the mass consumer, and when it comes to really strong password security I generally do not. There is an entire industry devoted to computer and internet security, so the mass consumer will be significantly behind the curve and thus never truly secure. The other side of this is that consumers can use a little diligence to avoid some of the more common password pitfalls. There are also several software packages available that anyone can download to manage and store passwords for you. This can improve the consumer’s password security, and make them remember only a small handful of strong passwords. Of course, none of this addresses the phishing or social engineering problem.
Are there some tips or tricks that you use to remember your passwords?