Fix your terrible, insecure passwords in five minutes.

Innovation, the Internet, gadgets, and more.
July 24 2009 7:05 AM

Fix Your Terrible, Insecure Passwords in Five Minutes

A foolproof technique to secure your computer, e-mail, and bank account.

Illustration by Robert Neubecker.

It's tempting to blame the victim. In May, a twentysomething French hacker broke into several Twitter employees' e-mail accounts and stole a trove of meeting notes, strategy documents, and other confidential scribbles. The hacker eventually gave the stash to TechCrunch, which has since published notes from meetings in which Twitter execs discussed their very lofty goals. (The company wants to be the first Web service to reach 1 billion users.) How'd the hacker get all this stuff? Like a lot of tech startups, Twitter runs without paper—much of the company's discussions take place in e-mail and over shared Google documents. All of these corporate secrets are kept secure with a very thin wall of protection: the employees' passwords, which the intruder managed to guess because some people at Twitter used the same passwords for many different sites. In other words, Twitter had it coming. The trouble is, so do the rest of us.

Your passwords aren't very secure. Even if you think they are, they probably aren't. Do you use the same or similar passwords for several different important sites? If you don't, pat yourself on the back; if you do, you're not alone—one recent survey found that half of people online use the same password for all the sites they visit. Do you change your passwords often? Probably not; more than 90 percent don't. If one of your accounts falls to a hacker, will he find enough to get into your other accounts? For a scare, try this: Search your e-mail for some of your own passwords. You'll probably find a lot of them, either because you've e-mailed them to yourself or because some Web sites send along your password when you register or when you tell them you've forgotten it. If an attacker manages to get into your e-mail, he'll have an easy time accessing your bank account, your social networking sites, and your fantasy baseball roster. That's exactly what happened at Twitter. (Here's my detailed explanation of how Twitter got compromised.)

Advertisement

Everyone knows it's bad to use the same password for different sites. People do it anyway because remembering different passwords is annoying. Remembering different difficult passwords is even more annoying. Eric Thompson, the founder of AccessData, a technology forensics company that makes password-guessing software, says that most passwords follow a pattern. First, people choose a readable word as a base for the password—not necessarily something in Webster's but something that is pronounceable in English. Then, when pressed to add a numeral or symbol to make the password more secure, most people add a 1 or ! to the end of that word. Thompson's software, which uses a "brute force" technique that tries thousands of passwords until it guesses yours correctly, can easily suss out such common passwords. When it incorporates your computer's Web history in its algorithm—all your ramblings on Twitter, Facebook, and elsewhere—Thompson's software can come up with a list of passwords that is highly likely to include yours. (He doesn't use it for nefarious ends; AccessData usually guesses passwords under the direction of a court order, for military purposes, or when companies get locked out of their own systems—"systems administrator gets hit by a bus on the way to work," Thompson says by way of example.)

Security expert Bruce Schneier writes about passwords often, and he distills Thompson's findings into a few rules: Choose a password that doesn't contain a readable word. Mix upper and lower case. Use a number or symbol in the middle of the word, not on the end. Don't just use 1 or !, and don't use symbols as replacements for letters, such as @ for a lowercase A—password-guessing software can see through that trick. And of course, create unique passwords for your different sites.

That all sounds difficult and time-consuming. It doesn't have to be. In Schneier's comment section, I found a foolproof technique to create passwords that are near-impossible to crack yet easy to remember. Even better, it'll take just five minutes of your time. Ready?

TODAY IN SLATE

Politics

Don’t Worry, Obama Isn’t Sending U.S. Troops to Fight ISIS

But the next president might. 

IOS 8 Comes Out Today. Do Not Put It on Your iPhone 4S.

Why Greenland’s “Dark Snow” Should Worry You

How Much Should You Loathe NFL Commissioner Roger Goodell?

Here are the facts.

Amazon Is Launching a Serious Run at Apple and Samsung

Television

Slim Pickings at the Network TV Bazaar

Three talented actresses in three terrible shows.

Foreigners

More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

The Ungodly Horror of Having a Bug Crawl Into Your Ear and Scratch Away at Your Eardrum

We Could Fix Climate Change for Free. Now There’s Just One Thing Holding Us Back.

  News & Politics
Weigel
Sept. 17 2014 7:03 PM Once Again, a Climate Policy Hearing Descends Into Absurdity
  Business
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
  Life
Outward
Sept. 17 2014 6:53 PM LGBTQ Luminaries Honored With MacArthur “Genius” Fellowships
  Double X
The XX Factor
Sept. 17 2014 6:14 PM Today in Gender Gaps: Biking
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
  Arts
Brow Beat
Sept. 17 2014 8:25 PM A New Song and Music Video From Angel Olsen, Indie’s Next Big Thing
  Technology
Future Tense
Sept. 17 2014 9:00 PM Amazon Is Now a Gadget Company
  Health & Science
Jurisprudence
Sept. 17 2014 4:49 PM Schooling the Supreme Court on Rap Music Is it art or a true threat of violence?
  Sports
Sports Nut
Sept. 17 2014 3:51 PM NFL Jerk Watch: Roger Goodell How much should you loathe the pro football commissioner?