If You Can Remember Your Password, It’s Probably Not Secure

Is your login data vulnerable? (Or... why I can't endorse Thomas MacEntee's password system)

Recently on the Genealogy for Technology Facebook group, someone asked about password managers. I am a fan of 1Password, but there are others out there that work just as well. Password managers work by creating a new randomly generated password for each site you create a login for. Those passwords are stored along with your username in an encrypted database that is protected by a master password. (In order to work well, your master password should be difficult to crack.) Some systems have their own servers for syncing and some use Dropbox or other cloud-based storage systems. I use 1Password with Dropbox and it syncs my password database across all of my devices almost instantaneously. Password managers allow you to isolate each account from all of the others by using a hard to crack password that isn’t used anywhere else.

The worst thing you can do with regard to online security is use the same password on multiple sites. If any of them are compromised, your accounts at every other site are now vulnerable. Even worse, some people use a common password, such as 123456 or the ubiquitous password, at multiple sites. A look at SplashData’s annual list of the most common passwords shows that these top the list of the most common passwords for 2013 & 2014.

Easy to Remember Password Systems

Many people have decided that they are outsmarting the system by coming up with a new system based on a password you can remember but is different at every site. As a webmaster of 15 years, I have insight into the backend of what happens when you login to a website, and as such I was dismayed to see many users advocating using these types of systems. Famed genealogist Thomas MacEntee (who has fantastic advise in genealogy matters) advocates such a system.

The recommendation goes something like this: use a nonsense base password that you can remember, add a symbol or two, then use that appended with letters from the site’s name for different sites. It seems secure on the surface: it’s easy to remember, you aren’t using the same password for more than one site, and it’s not a dictionary word.

Security Risks

Using Patterns in Passwords

While it’s better than the practice of using the same password at multiple sites, MacEntee’s system and others like it are far from secure. It would be a very easy pattern to discern using a script on hacked password lists, and since most hackers compare lists from several hacks, it wouldn’t take long to determine the pattern and combine it with the user’s email address to access the user’s accounts on other sites.

In addition to using software to determine patterns in passwords, hackers use software to try staggeringly large numbers of combinations (350 billion guesses per second) in short periods of time in brute force attacks. While nothing is completely secure, the best practice is to try to exhaust the resources used to try to crack passwords. Hackers usually go for the low-hanging fruit, so forcing brute force scripts to use more resources is safest. Random passwords that are never reused are the only “very safe” option for logins  (there is no such thing as 100% safe – all you can do is adapt to new technology and try to stay 2 steps ahead).

The Problem of Plain Text

Most people think of nefarious hackers when they think of security breaches, but it’s not just hackers you need to worry about. Think of your password the way that you think of your credit card number. Years ago, merchants used swipe machines that captured an image of your number, and anyone with access to that receipt or its carbons had access to your credit card information. That is the equivalent of unencrypted passwords. Insecure websites don’t encrypt your password (you can tell the difference by the password recovery system – if it sends you your password for recovery instead of resetting it, it’s not encrypted) and the webmaster, webhost employees, and anyone else with access to the site’s database can just read your password in plain English. In contrast, today’s credit card processors only display the last 4 digits of your credit card. Similarly, encrypted passwords look like gibberish and require a key to unlock the real password, so an encrypted password adds the security of hiding your password similar to how today’s receipts hide your credit card number. There are still risks, but fewer of them.

Here’s the problem: unlike credit card transactions where the entire system has gone to using only the last 4 digits, there are still many websites out there that are storing your password unencrypted.

An Example

Since the base password + website name system and others like it are a pretty common trend (especially since they are published online where anyone can see them), it’s easy for anyone with access to unencrypted passwords to see the pattern and use it to login elsewhere. If I were a webmaster of such a site (my menu planning website Menus4Moms encrypts passwords so I couldn’t do this, but I’ll use it as an example) I could easily look through my database at passwords and see ones that have letters from my site name at the beginning or end. So if I saw a user with the password Menlyn23! or mZoobilyZoos, it would jump out because I would now be looking for passwords that begin and/or end with the letters in my site name (Menus4Moms). From there, I could just start trying combinations at target sites. This makes you particularly vulnerable if you are using the same pattern for the login to your email address. Armed with the pattern and your gmail/yahoo address that you used on my site, I could head to google (or Yahoo! or Hotmail – you get the idea) and start trying passwords like goolyn23! and gZoobilyZooe to get in. When I’m in, I could simply change the password to lock you out.

Once your email address is compromised, I could reset *any* password at any site that uses that email address (including banks and investment firms if they don’t require 2 factor authentication), add my own email address (remember, the confirmation is going to go to your gmail/yahoo account that I now control), remove your email address to lock you out, and have my way.

2 Factor Authentication

This story illustrates how easy it is to take down someone’s digital life (including wiping their Mac products clean) in a single hour. Since the publicity this story generated, many sites offer 2 factor authentication. This is when you have to prove that you are really you through a second method, usually a code texted to your mobile phone. This extra layer of protection is huge, and if it is available, it should be used. All of the above described hacks could be blocked if 2 factor authentication is enabled for just the account that controls your email address.

Solutions

At this point you may be wondering if you could ever be safe online. It’s a lot easier than you think for someone to take over your life if you use insecure passwords, and the only secure password is one you can’t remember and one that doesn’t have elements repeated on more than one site. The best option is a password manager with a strong master password.

Collecting Cousins may be compensated for any of the links in this post through sponsorships, paid ads, free or discounted products, or affiliate links. All Amazon.com links are affiliate links.

Leave a Comment

*