By Shannon McMurtrey, Ph.D
I have been thinking a lot about passwords lately. Probably due to the fact that the time to reset my password on one of my primary accounts has rolled around again (as it seems to roll around faster and faster each time) and I had to YET AGAIN come up with this crazy long impossible to remember password to keep my account safe. This ritual always reminds me of an XKCD cartoon (humor for math geeks) from a couple of years ago that makes the point, in a very elegant way, that we have gotten very good at training humans to come up with passwords that are easy for computers to guess and nigh unto impossible for humans to remember.
I’m probably also thinking about passwords due to the recent disclosure of 1.2 billion user names and passwords. This is the largest breach announced to date. There are some questions that remain around this announcement, as the company that discovered the breach has chosen to monetize their discovery rather then provide full details about what exactly was discovered; but it is still a very significant announcement.
Regardless, the point remains that password security is dead. I know that is a strong statement; but you really should make the assumption that your passwords are out there, somewhere, and you need to reset all of your passwords. This is especially true of your online financial accounts. When you create your new passwords, make sure that you are not reusing a password that you also use somewhere else. We all tend to want to use the same password everywhere, because that makes it easier to remember the password. Unfortunately, this also makes it easier for the bad guys to exploit once they obtain that password. Two steps that you can take to make your life easier are to research and purchase a password manager program (do a search on ‘the best password managers’) and use it. They simplify managing multiple, complex passwords and are well worth the investment.
The other step you should take is to use two-factor authentication wherever you can. The ‘two-factor’ means that you are using two pieces of information to authenticate rather then just one. For example, I might use a password (something I know) and a code received on my cell phone via text (something I have) to verify that I should have access to this Gmail or Dropbox account (both support two factor authentication).
Now I know what you’re thinking, “my password is so crazy that no one would ever be able to crack it!” Maybe you came up with a sentence like, “our kids are crazy,” and then some date that was significant to you, “02-03-06” for example. Then you interchanged the letters and numbers to come up with your uber-strong-impossible-to-crack password of, “o2k3a6c.” Sure, it was a pain to type the first few times as you had to consciously think about the sentence and the date; but over time your muscle memory kicked in and you type it without even hardly being aware of it.
Here’s the problem, rainbow tables. In the “Hacker Techniques” class that I teach for our Cybersecurity Masters program we talk about rainbow tables. Using a rainbow table attack I was able to crack that password (o2k3a6c) on non-optimized hardware, in less than ten hours. I’m working on a machine now that will crack it in minutes. I hope this doesn’t cause you to fear doing anything online, that isn’t the point at all. The point is to help you understand how important it is to use long passwords that are a combination of letters, numbers, and special characters, and most importantly, to use two-factor authentication wherever you can. I want you to feel as safe online as you do living here in the Ozarks. With a little bit of investment on your part, you can do it!
This article appeared in the October 11, 2014 issue of the Springfield News-Leader. It is available online here.
Shannon McMurtrey, Ph.D., is director of Missouri State University’s master’s program in cybersecurity, as well as program director for the master’s in computer information systems in the department of computer information systems. Email: shannonmcmurtrey@missouristate.edu.