Last month, some 6.5 million encrypted LinkedIn user passwords—or about 4% of the service’s 150 million users—showed up on a Russian hacker forum. As the news spread, many understandably concerned users—after confirming that they did, in fact, have active LinkedIn accounts—quickly logged on to change their passwords.
For most of them, that meant just one more entry in a growing list. Anyone living any kind of online life these days almost by definition has more passwords than they can handle. There are passwords for Facebook and passwords for Twitter. There are passwords for personal e-mail accounts, work accounts and accounts long forgotten. (When was the last time you checked your Hotmail?) And lurking behind them all is a dense and contradictory fog of advice on how to make those passwords “strong.” They should be easy to remember, but hard to guess. They should not be written down. They should mix letters and numbers. And they should never, ever be something as simple as “Password99” (Or “1234,” for that matter, which, as hackers discovered in June, was the most popular password on LinkedIn.)
The operating assumption in password protection is that if only everyone had some basic understanding of encryption, their passwords would be safe. Follow the right advice, in other words, and rest assured your personal information will be secure. But then, that’s not really true, is it? The breach at LinkedIn made equal victims of Password99 and L77jb3T.
In most cases, it turns out, the strength of your password doesn’t mean very much at all. At least that’s a theory a group of academics and researchers, including Carleton University computer science professor Paul van Oorschot, have been pushing more and more vocally in recent years. Van Oorschot and his colleagues believe companies and researchers have dropped the ball when it comes to password protection. What’s more, they argued in a recent research paper, most tips for protecting passwords do nothing to guard against the most common forms of breaches: phishing, keystroke logging, and plain old looking over shoulders. A deeply complex password—a long string of random characters, for example—really only helps deter what’s known as a “brute-force attack,” where a computer program tries millions of password combinations in an effort to find the right one. As for the common office IT requirement that you switch your password every few weeks, it’s of even less worth. “We now have research that shows that this is generally an absolutely ridiculous policy to have,” van Oorschot says. If hackers can find an earlier password, the evidence shows, they can usually figure out the new one too.
We get the advice we do because it’s easy to give, van Oorschot believes, not because it’s effective. The truth is, even the experts don’t know as much as they should about how passwords work, how effective they are, or what happens when they get compromised. And what little information is in the public realm is often coloured by companies looking to drum up security business, on the one hand, or hacked companies looking to salvage their online reputations.
What experts do know, however, is that over the past 20 years, passwords have become more complex and harder to use, while security hasn’t improved significantly at all. So the next time your office IT manager bugs you to switch your password or make it harder to guess, tell him to relax. There’s a good chance it won’t do either of you any good anyway.
3 WAYS TO MANAGE ONLINE PASSWORDS
1) Write them down
Go ahead. Paul Van Oorschot, professor of computer science at Carleton University, says it’s OK: “What is the risk of someone being inside my house and getting access to my password, compared to choosing one that could be solved in three guesses by someone on the other side of the world?”
2) Perform basic triage
You probably want to do everything you can to protect your online banking code, for example, but the password for your Swiss Chalet account? “MmmChicken” is probably fine.
3) Use software
There are programs on the market to help manage passwords. Some of them, like the Firefox browser’s password manager, are restricted to a single machine, others, like LastPass, are portable and can be used on tablets and smartphones.