Let me hazard a wild guess: the system of passwords you use on the internet – for accessing online banking, email, shopping sites, Twitter and Facebook accounts – is a mess.
You know perfectly well what you ought to be doing: for each site you visit, you should be choosing a different, complex sequence of letters, numbers and symbols, and then memorising it.
Apparently rule number one of the conventional wisdom on passwords is: never, ever write them down.
But most of us don’t do this, because we weren’t blessed with a brain that’s capable of such feats.
So instead many of us use the same familiar words for every site – your dog’s name, the name of your street – with occasional ingenious permutations, such as adding “123” at the end. Or maybe you do try to follow the rules, in which case you’re probably constantly getting locked out of your bank account or trying to remember the answers to various absurd security questions.
And things are getting worse: these days, you find yourself forced to choose passwords with both upper- and lower-case letters, and what normal human being can remember multiple combinations of those? Not me and probably not you, that’s for sure.
One reason not to feel too guilty about your bad password behavior is that it seems to be almost universal.
Last month, an analysis of leaked PIN numbers revealed that about one in 10 of us uses “1234”;
A recent security breach at Yahoo showed that thousands of users’ Passwords were either “password”, “welcome”, “123456” or something equally stupid.
The table below shows the top 20 PIN numbers in use.
1234 accounts for 10.7% of all pins, followed by 1111 and 0000. Just these three combinations account for 18.6% of pins and the most common 20 combinations are responsible for more than a quarter of all pins in use.
The most common numbers are repeating patterns, as well as significant dates (1984 and 2001, for example) and popular culture references: in homage to James Bond, 0070 and 0007 also appear very high in the charts.
When the veteran security researcher Bill Cheswick was asked if there was a way to solve the problem once and for all, he thought about it, then suggested: “Burn your computer and go to the beach.”
Then there’s the question of predictability. Nobody thinks up passwords by combining truly random sequences of letters and numbers; instead they follow rules, like using real words and replacing the letter O with a zero, or using first names followed by a year. Hackers know this, so their software can incorporate these rules when generating guesses, vastly reducing the time it takes to hit on a correct one. And every time there’s a new leak of millions of passwords – as happened to Gawker in 2010 and to LinkedIn and Yahoo this year – it effectively adds to a massive body of knowledge about how people create passwords, which makes things even easier. If you think you’ve got a clever system for coming up with passwords, the chances are that hackers are already familiar with it.
One day, we may not have to worry about any of this. There are innovations in development that might replace passwords entirely. I have read that touchscreens could be configured to detect subtle aspects of your interactions with your computer – the distances between your fingers, and the speeds at which you tap and scroll.
Technologists at Rutgers University in New Jersey have built a prototype of a ring, worn on the finger, that would send tiny bursts of electricity through the user’s skin to the screen, vouching for his or her identity.
Fingerprint readers, built into some laptops already but apparently with too many flaws to be taken seriously, could be improved. But don’t hold your breath. Passwords aren’t going away for the foreseeable future.
In the meantime, Cheswick recommends doing the following:
Install a piece of software known as a “password wallet”, such as LastPass or 1Password. They generate fiendishly random passwords for each of the sites you visit, storing them all behind a single master password.
But if you forget your log in password there is no way of retrieving it, so most people write it down anyway, perhaps in some coded form.
There’s no such thing as total security, let alone total security plus total convenience, but this feels like a workable compromise, providing……. you do not forget where you hid that piece of paper.
was recently hacked and his overdraft has gone missing.