Today advanced hardware makes it easy to crack passwords. In such a scenario, what should users do to prevent hackers? Geeta Padmanabhan has the lowdown
If you thought your clever password was something no one could hack, well, you are in denial. Consultancy firm Deloitte reports that 90 per cent of user-generated passwords are vulnerable to hacking. What, even my traditional (clever) combo of eight characters complicated by numbers, letters and symbols? Yes.
Last year, Zappos.com lost names, email-IDs, phone numbers and partial credit card numbers of 24 million customers. LinkedIn admitted its user passwords were “compromised”. Some 400,000 Yahoo email-ID passwords were hacked last July. In 2011, 77 million passwords were stolen from Sony’s PlayStation Network. GoDaddy's passwords were breached. FBI, NBC-sites, 112 Indian government sites found their “secure” passwords “exposed”. If it's any consolation, Taliban sites were successfully attacked too. Just check out what services like “iFramers” do to hacked websites.
How did our passwords get so susceptible? Longer passwords infused with @, *, % symbols are difficult to remember, so we pick a small subset from them — and they get cracked. We slip-up by re-using passwords. Credit-checking firm Experian found that the average user has 26 password-protected online accounts but uses only five different passwords. Deloitte says 10,000 most common passwords access 98 per cent of all accounts. When you key in the same password for online banking and Warhammer, a security breach at the gaming site compromises the bank account password.
Even long passwords aren't safe, says Ashwini Rao, researcher at Carnegie Mellon University. Sentence-like/phrase-like passwords such as “abiggerbetterpassword” and “thecommunistfairy”, postal addresses, email IDs and URLs also make for less secure passwords now, she says.
Blame it on advances in password-cracking hardware. “It's called a brute-force attack,” says techie Mahesh, explaining its nuances. “Powerful computers/laptops try every possible permutation-combination to find the “right” one, no intelligence involved.” Creep! Our eight-character password, created from the 94-character keyboard is one of 6.1 quadrillion possible combinations. “A dedicated password-cracking machine employing virtualisation software and high-powered graphics-processing units can crack any eight-character password in 5.5 hours,” the Deloitte report said. Nefarious, says Mahesh. “A computer working alone may not be able to dig, say, military networks. So a zombie machine, could be yours, is roped in for the hack job. It's a small percentage of your CPU; you pay for unlimited time, so how will you know? Hey! “Wait,” he says. “There is also crowd hacking, where hackers share the power of thousands of machines to infiltrate the target. At no cost.”
Help! Twitter and Adobe re-set thousands of passwords after “embarrassing” goof-ups. Google alerts you on unusual mob-phone activity. It also wants you to insert Yubikey, a smart-chip embedded tiny key that goes into the USB drive, unlocks and automatically logs onto all your accounts without asking for a password. Yubikey works on Windows/Mac/Linux/iPad/Firefox/Chrome, and is waterproof, crush-safe, needs no battery or clients software/drivers. With a simple touch the YubiKey sends a one-time-password (OTP) as if typed. The unique passcode is verified by a YubiKey compliant app. Fine. “Things like YubiKey are definitely more secure as they support random passwords and provide two-factor authentication,” says Mahesh. “Corporates use them on a day-to-day basis because they are mandatory, but you will use it a lot less since it's optional.” You could lose it, you need to insert it, and always type in a master password to access websites. Too much!
“Multi-layer authentication” is possible. You log onto your credit card issuer’s site, type in your username/password, send another code/password to smartphone, and go online. Not terribly convenient! Password vaults or password safes (paid tools) offer you a central place to store all your passwords, encrypted and protected by — you guessed it — a password or token. These, presumably, are not easily cracked. Firefox can save user names and passwords for online services like banking.
Go for poor grammar and spelling, says Ashwini Rao. Hurray! Since “brute” searches for proper combo-words and grammar, you hoodwink it by staying outside the dictionary. She suggests phrases such as “Pineapplesi$nise”, “Exitingplan$isafoot”, that is, if you can memorise the deliberate mistakes. Try “eat cake at 8!” or “car_park_city?” (Idontnohowtospal.com). The high-tech crowd touts a biometric solution, but it has its hiccups. Smartphones ask you to connect nine dots — easy, many combos, visual/tactile (touch to remember). Connecting fewer dots generates more combinations.
Follow good password practices
Never share your password. Avoid using non-secure networks at public places to send private information. Change password after using a non-secure network, change it frequently. Never store your password in a program. “I use Lastpass — a password manager and form-filler,” says Mahesh. “and a secure operating system like Linux. All codes are out in the open, so it is easier to review.” Mmmm... will you consider becoming a hacktivist? If you do, let me know.