×
Search TQA Weekly
×
Log into your TQA Weekly

Password

Learn why passwords are the weakest link.

An explanation on why passwords are so weak, what you can do about, passwords to avoid, and how to protect yourself.

Episode #4-23 released on February 21, 2014

The password, the weakest point of failure of any account on the internet, and the biggest problem is the choice of passwords and how they are composed. This is all you can focus on, because you can't guess or accurately determine what the security of a given web-site, so we must presume that the security of all web-sites are made by the worst programmers on the planet.

First, presuming all web-sites security sucks, we should never use the same password twice, further, any password rules you use will also be the same as using the same password on every web-site. If you make a guide for yourself on how to make different passwords, and someone identifies the rules, you password is no longer secure. This is, also, because we tend to use the same username, or similar usernames. Hacking a weakly secured web-site may give us the passwords we need to access another web-site. The web-sites with the weakest security often lead to the hacking of accounts on more secure web-sites.

Second, the choice of password is usually related to the lack of seriousness from the user, laziness, or the fear of forgetting their password. There are plenty of applications and widgets that allow us to use more complicated, unrelated passwords to keep our lives simple, and keeping us secure at the same time. However, if you don't believe me your password sucks, how about the list of the 25 most popular passwords in 2013?

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123
  11. 123123
  12. Admin
  13. 1234567890
  14. letmein
  15. photoshop
  16. 1234
  17. monkey
  18. shadow
  19. sunshine
  20. 12345
  21. password1
  22. princess
  23. azerty
  24. trustno1
  25. 000000

If you heard your password, change it now.

Third, dealing with all those passwords you can't remember, how do I log in, if I don't remember my password?

This is simpler than most of your are willing to admit. Its called LastPass, the last password you will ever need to remember, and best of all, it offers two factor authentication. A strong password is good, a password you can't remember is much better, and a way of getting to it, without allowing others to tap in, is the best gift of security you can give yourself. It is free, and you can upgrade. ITS trust no one technology in the sense that no one can demand LastPass for your passwords because it is encrypted in your computer before being uploaded to their servers.

And lastly, we occasionally forget our passwords, we go through our favorite web-sites and then request the ability to log back in. Occasionally, web-sites e-mail our passwords we had. This is dangerous on so many different levels.

E-mails are sent plain text, and having the password sent in a medium that is plain text means that any server or person could intercept the e-mail and gain access to your account. If the person knew which accounts you used, and could force services you use to send back your password by e-mail, then if they have access to your computers, networks, etc... they could retrieve your password and steal your account from you.

To combat that possibility some services have you create a password hint, or a secret question and answer. A password hint is just that, a hint, not usually practical. But the secret question and answer could be used to deter malicious users from trying to game the system, in order, to gain access to your account. The link, however, is still sent in an email which is plain text. However, there isn't much we can do on a small web-site beyond that. Web-sites that have two factor authentication enabled can require the second factor authentication code to prove you are the correct user that lost their password, and this, even with the plain text email, would prevent unauthorized users from gaming the system, and accessing your account. For you, the only thing you can do to prevent any issues is to make sure none of your passwords are the same, and refrain from linking all your accounts together, just in case some accesses your primary linked account and tries to gain access to your life.

Now, what should we do to get companies to change their behavior when it comes to how they handle our passwords in their databases, for starters, do not use their services. Then report them to the Plain Text Offenders, and furthermore, demand why they have such relaxed and dangerous password policies in public via social networking. All passwords should be encrypted using an irreversible means, like hashing, using unique salts for all accounts, and iterated as many times as possible.

Simply encrypting a password is not enough, if the company can decrypt it, we must presume others can to.

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources