Passwords “are starting to fail us,” says PayPal’s Chief Information Security Officer Michael Barrett at a recent event in Las Vegas. Much like a locked front door to your home, it may serve as a minor deterrent to the casual passer-by, but anyone who really wants to find a way in, will most likely be successful.
A lot of it has to do with the seeming inability of internet users, despite many attempts to educate the public, to pick passwords that are truly secure. “Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
The number of data breaches in the US increased by 67 percent in 2011, and each major breach is more expensive than many people realize. When Sony’s PlayStation account database was hacked in 2011, it cost the company upwards of $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can cost millions or even billions…with a B.
Asked about passwords, ESET Senior Research Fellow David Harley says, “Static passwords are problematic – even a good password is next to useless if the provider doesn’t take good care of credentials data and allows unlimited retries. The trouble is, that password authentication on the Internet is cheaper and easier to implement than most of the alternatives.”
So what’s the answer? How does one protect themselves in an online environment with so many dangers? While there’s no way to completely eliminate your risk, there are several things that can be done to mitigate the risk. For starters, don’t make it easier on would-be hackers. Don’t make your password “password,” or “123456.” Use 10 digit passwords, containing both letters and numbers, as well as capital and lowercase symbols. Try and vary passwords for different online accounts, so that if one account gets hacked, it doesn’t create a situation where the hacker now has access to every online account you own. Additionally, avoid making passwords or security questions things that a stranger could guess at just by reviewing your publicly available information. What city you were born in, for example, might not be the best security question for an online account if you have that information publicly listed on your Facebook Page. Using varied and less typical/obvious passwords will go a long way to making your information online more safe.
On the industry side of things, more investigation needs to be done on better authentication methods than are currently in place. Cheap is always appealing, but not always effective. And as was pointed out, if a company is hacked those cost savings go out the window, and then some. There also needs to be greater limitation on the number of times someone can incorrectly answer a password prompt or security question before the account gets frozen. Understanding on the part of both the service provider and the consumer of what sort of tactics hackers use and what they’re looking for is essential if we are to protect ourselves with a higher rate of success.
In short, don’t be lazy with your passwords, even though they are in some ways antiquated forms of security. Be aware of what personal information about you is floating around on the cloud and be mindful of this when picking your fail safes for account access. Don’t store information online that you don’t absolutely need to and be mindful of who you’re giving your information to and what they plan on using it for.
Face It: Internet Passwords Often Fail to Keep Hackers Out" was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to repost the above article, as written, giving credit to the author and linking back to www.idtheftcenter.org.