We all know that the current username-and-password system is broken. With Russian hackers reportedly sitting on over a billion passwords, and new breaches hitting the news on a regular basis, it's fair to assume that if hackers don't have your password already, they're about to.
“Most websites and companies require passwords that are at least eight characters long, contain lower and upper case characters, a number, and one or more special characters,” says Vincent Berk, CEO of network security firm FlowTraq.
These kinds of password policies have actually reduced security overall, argues Jacob West, CTO at HP Enterprise Security Products. “We need to bring some sanity back to our password policies,” he says. “A human will never be able to meet these requirements.”
Since people can't remember these passwords, they use the same ones over and over again. In fact, according to a November study by RSA and the Ponemon Institute, 69 percent of consumers reuse their passwords on multiple sites – even though nearly 50 percent have been victims of a data breach.
Carrying a list of passwords around in your wallet is no good, because your wallet could be lost or stolen. Whether or not the thief notices the list of passwords and uses them, you will have lost all your passwords and will have to manually reset access to all your sites – and hope that none of them are linked to email addresses you no longer have access to.
Plus, if you have a lot of work-related passwords on that list, you might get into trouble with your employer for writing down those passwords – and also for losing them.
Jason Hart, CEO of Identiv
“The truth is that passwords are well beyond their use-by date,” says Jason Hart, CEO of Identiv, a security vendor based in Fremont, California. “The only rational answer is to move to a universal, standards-based system involving more than a password.”
Welcome to two-factor hell
Hart, and many other security experts, suggests more use of multi-factor authentication.
“Two-factor authentication and biometrics are good technologies for fortifying passwords,” says Bob West, chief trust officer at CipherCloud, a cloud security vendor in San Jose. “But the problem is that of practicality – most applications can't support two-factor authentication.”
Plus, the variety of two-factor technologies poses its own set of challenges. “As much as we're in password hell now, the second factor hell that’s coming is even worse,” says Andre Boysen, chief identity officer at SecureKey Technologies.
+ ALSO ON NETWORK WORLD 12 famous passwords used through the ages +
There are SMS messages with one-time passwords or authentication codes. Smartphone apps. USB keys and smartcards and key fobs of various kinds. Voice print analyzers, typing speed analyzers, apps that track the way a user draws a certain pattern. Fingerprint scanners. Cameras that recognize your face or track your eyes or facial expressions.
“It's confusing the hell out of users,” says Boysen.
Eliminate passwords whenever possible
Enterprises can make life easier for their employees by rolling out single sign-on portals that provide access to just the tools and applications that individual employees need, and track their behavior while in the system. Strong authentication at the point of login, plus second factor verification of unusual behaviors, can increase security without unduly burdening the employee.
Most importantly, it would eliminate the scourge of privileged user accounts – one of the most dangerous attack vendors in an enterprise. However, this isn't an option – yet – for every cloud-based application that employees might need to have access to.
So here are some old-school ways to keep track of personal and work-related passwords. (Watch a slideshow to see these examples illustrated.)
1. Letter substitution cipher: a=b
Letter-substitution ciphers have been around almost as long as alphabets. Each letter is replaced by either another letter, a number, or a symbol – just like the cryptogram puzzles in the Sunday newspaper.
Pretty much the easiest cipher is one where you replace every letter by the next one in the alphabet. So, for example, “cat” becomes “dbu” and “dog” becomes “eph.”
Letter-substitution ciphers are easy to crack if you have a couple of sentences of encrypted text – and if you know ahead of time what kind of cipher is being used.
They become extremely difficult if the snippets are short, and if the hacker doesn't know that you're using it.
For example, say your list of passwords looks like this: “bank: pineapple!1, email: butterfly?2, social: cumulus#3.” If hackers get their hands on your list, they might try typing in “pineapple!1,” and if that doesn't work, they might type it in backwards. But the odds of them trying “qjofbqqmf!1” are pretty low – at that point, they might as well be using a brute-force approach, trying every possible combination of letters and numbers.
2. Letter substitution cipher: a=s
This one works great if you're a touch typist. Simply move your fingers one key to the right when you type in your passwords. “Cat” becomes “Vsy.”
With this approach, numbers and symbols get switched, as well – and no thought or memorization is required.
3. Never write down encrypted passwords; banana, not nsmsms
It might seem more secure to write down, say, “nsmsms” instead of “banana,” then enter “banana” as your password into the actual website, deciphering the code in your head.
But writing down “banana” and doing the encryption in your head, instead of writing down “nsmsms” and doing the decryption, is more secure. That's because the hacker or thief who gets their hands on your list won't get a heads-up about the encryption method you're using.
If hackers see “nsmsms” and a bunch of other obviously encrypted words, they might be tempted to try their hand at deciphering them – for example, by running them through a cryptogram solver. And they'll know that they've succeeded because they'll get “banana” out at the end.
With a list of plain words, there's nothing to hint to the hacker that you're doing something tricky. And when they don't work – well, maybe you've changed them since, or you have rearranged them, so that the passwords actually go with different sites.
But you might still be hesitant about writing down something like “bank: pineapple!1, email: butterfly?2, social: cumulus#3” – especially, say, someplace visible where a boss, a coworker, or your company's security staff might see it and get upset.
Consider using a code instead of a cipher.
4. Use earworms to your advantage: Wheels on the bus go round and round
Back in the old days, one common way to exchange secret messages was to use two identical copies of a book. A Bible, say, or, really, any book at all.
To send a particular word, you'd find that word in the book and write down its page number and position on the page. The code was cumbersome to use for sending messages and only worked as long as your enemies didn't know what book you were using.
But it's an easy way to generate passwords, since you only need one copy of the book. In fact, you don't even need a whole book. You can use a prayer you've memorized, or speech, poem, or song. If you can't memorize any at all, you can use one you can easily look up online. But really – you don't have a single song memorized?
So, say your song is “The wheels on the bus go round and round.”
“Bank: 5-2” would translate to a password of “bus-wheels.”
Since nobody knows what song is stuck playing over and over in your head, nobody is going to guess what that code means unless they already have several of your passwords, and can then work backwards and reconstruct the song lyrics.
5. The mnemonic code: a=alpha
But why bother writing down a list of words when you can use a memorization trick that stage magicians have used for centuries – mnemonics?
Start with an alphabet you know well, such as “a is for apple, b is for banana” or “a is for alpha, b is for bravo.”
Then use the word that corresponds with the first – or the last – letter of the site you want to memorize the password for.
For example, if you decide to base your code on the first two letters of the site, and you want to remember the password for bank.com, you'd start with “bananaapple.” Throw in a hyphen and you've got your required symbol, too.
Combine it with a letter substitution cipher and the password for bank.com becomes “nsmsms=s[[;r” – good luck to anyone trying to guess that one.
Or, instead of the alphabet, you can use your favorite song lyrics. So, “b” is the second letter in the alphabet and “a” is the first letter, so you base password becomes “wheels-The.”
Another approach is number-based mnemonics, where, “zero is hero, one is bun, two is shoe.” So a site like bank.com, with four letters in the main domain, would have the base password “zero-door.” Drop the zero, and you can use song lyrics here, as well.
It won't give you a unique password for every single site, but it will provide a wide range of possible passwords.
6. Add site name to end of password: banana-twitter
To ensure a unique password for every single site – without having to write anything down – add the name of the site to the end of the password, suggests Luis Corrons, technical director of cloud security vendor Panda Security.
So, for bank.com, you'd add “-bank” to the end of it. And, for your social media accounts, “-twitter,” “-facebook” and “-linkedin” or – for a little less typing – “-twit,” “-face,” and “-link.”
7. Expiration date trick: banana-q1-14
But what about companies that make you change your passwords every three or six months?
Simply add the year and the quarter to the beginning or the end of the password. So, if your base password is “banana,” you'd have “banana-14-q1” or “banana-14-q2” or “banana-2014-h2.”
After moving everything over one key on the keyboard, that becomes “nsmsms=3-25=j3.”
And – voila! A unique password that you can remember, that's difficult to guess, and that you can change regularly.
What about password managers?
One popular alternative is to use a password management tool that keeps all your passwords in an encrypted file, usually in combination with apps on your desktop, laptop and mobile devices.
But a new research report that came out this August, presented at the USENIX Security Symposium in San Diego, found security vulnerabilities in four our of five major password managers.
“We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords,” the study authors said. “The root causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model.”
In addition, many people choose password managers that offer Web-based access, which is handy if you are using someone else's machine and need to get access to your accounts. But this means that a hacker can use a keylogger to get in and grab all the passwords at once.
And that's in addition to the bookmarklet, Web, and user interface vulnerabilities found by the security researchers. The researchers did report the problems they found to the vendors involved, and most of the bugs were fixed within days after disclosure. But the worry remains.
“Our study suggests that it remains to be a challenge for the password managers to be secure,” the researchers said.
Maria Korolov is a freelancer writer. She can be reached at maria@tromblyinternational.com.
This story, "6 simple tricks for protecting your passwords" was originally published by Network World.