Or why you should stop worrying about passwords and just enable two-factor authentication….
If, like me, you have several e-mail accounts, a few forum accounts, bank and credit card accounts, eBay, paypal, Apple, gym and numerous others, you probably have a small number of passwords that have some level of re-use or even variations on a theme.
For example, your gmail might be Pa55w0rd!, your bank account Pa$$w0rd! your credit card P4ssw0rd123 etc.
If you can find any variant of it in the top 500 worst passwords list, then you have a problem.
Unless you are using two-factor authentication that is.
If I tell you that my g-mail password is ‘Password123!’, it will not get you anywhere. Actually that is not true, it will get you somewhere, it will get you to a screen that is requesting a six-digit code. That code is sent to me as a text message. Or nowadays requires that I type in a code that is generated by the google authenticator.
So despite you cracking my password, unless you are also in possession of my phone, then you will not be able to login to my e-mail. or my Facebook account, or my bank account, or my credit card account or an ever growing number of on-line services.
Each system has their own version of this two-factor authentication, each relies on you not only having my password, but also my phone, which must also be unlocked.
Even if I was stupid enough to set the PIN on my phone to ‘1234’, you would need physical possession of it too. My PIN is actually six digits long and I only use it when I reboot my phone, otherwise I use my thumb print. When I have to enter my PIN I can barely remember it….
Literally, my e-mail password has no use to a hacker, unless they have access to my unlocked phone too.
Think that through for a moment. In all of the hysteria about passwords and their complexity, with two-factor authentication, the password can literally be ‘password’ or ‘123456’. It does not matter at all. Because unless the hacker has your phone, there is no way passed the login box.
Recently I signed up for an on-line account for something, the password requirements were some of the worst I have ever encountered.
At least 8 characters long, at least one numeric, a mix of lower and upper case and at least one special character.
I immediately thought of Password123!
Obviously it passed all of the tests, but it is a really, really stupid choice.
The requirements are literally guiding a potential hacker,
The word needed is over-long, this is going to pretty much ensure that the potential user uses ‘123’ or 111 or 321 or 666 near the end of a 5/6 letter common word.
You need a capital letter, well, duh, the first letter is incredibly obvious.
You need a special character. Hmmmm, let me think ! or ? are just about the only choices.
Obviously, if this site had two-factor authentication, it would not matter, but it did not, it had an overly complex password requirement that almost forced the user into making a bad choice.
in reality, rather than use a bad password, I tried to use the OSX/Safari password manager. It suggested that I use ‘Z`@Ju7=dEKy54Ss@’ which seemed like an excessively tough password to crack. But, sadly the site rejected my super secure, insanely un-typable password because ‘@’ was not a valid character. Fixing it to ‘Z`AJu7=dEKy54SsA’ still broke it as the ‘ character was also no legal
and the ‘=’ sign failed
so I tried ZLAJu7EdEKy54SsE
only for the site to reject that, because it was too long.
Password123! it is then……
Passwords are dead, we need a better level of security, two-factor via text messages or one of the several revolving code generations from RSA (SecurID) or Google’s own version that require an app on a smart phone and a one-time link to setup seem to be a much better idea than any password rule set.
So, really, long live ‘Password123!’, I use it everywhere that there is two factor authentication and it does not matter who knows it…..