Wired illuminates the dark truth about password security

(via Boing Boing) ...It turns out, it's not there.

Well, that's not totally fair.  Some password-y methods for securing your information are less awful than others, for now.  But in an article he posted yesterday on Wired, Mat Honan (victim of teenage Twitter identity theft) outlines the many horrible ways that passwords fail us as a security measure.

During the formative years of the web, [...] Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.

So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.

Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password.

The major point is that a lot of security experts from companies that rely on seeming secure (banks, stores, email) are happy to give an explanation of best-possible-practices, but those practices are a massive pain in the ass.  And because they're a massive pain in the ass, nobody follows those instructions.  Because that result is predictable -- it happens every time -- the companies can be held accountable for their failure to compensate.  Rather than keeping people secure, they let them put themselves into a position where they feel at fault if their account with that company is compromised.

Mat doesn't have a hugely easy to swallow answer to the password problem -- basically, as computers get smarter, we need to start relying on them just being able to figure out whether it's really us -- but the lack of a clear solution isn't an excuse not to worry about the problem.

Here's Mat's article, Kill the Password: Why a String of Characters Can't Protect Us Anymore, again.

This next article is an older one, from last month, called Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson.

He underlines the same points about a system not being secure if the users won't use it securely, and proposes methods for creating stronger passwords.  Essential to his approach is memorability -- a password is best if it's easy for you to remember, but not at all reasonable for someone else to guess.

So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!

This approach isn’t just conjecture: It works. It’s been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.

Take a look at your security online, and try to tighten up your weak points, like matching usernames and passwords across platforms.  And read those articles, there's a lot of good stuff in them apart from the excerpts I posted.

Kill the Password: Why a String of Characters Can't Protect Us Anymore, by Mat Honan Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson