Black Friday is coming up on 27 November 2015, and with it the start of the busiest part of the retail season in the US.
Indeed, the name is said to come from the fact that on the Friday after US Thanksgiving (the fourth Thursday in November), retailers do so much trade that they get “into the black,” covering their costs for the year to date.
In theory, then, that leaves the rest of the holiday season, heading towards Christmas, to pile on the profit.
What that means is a lot of people shopping, both at the mall and on the net.
To extend the fun beyond the Thanksgiving holiday, there’s also Cyber Monday, which is your online chance to snap up the bargains you missed over the weekend.
And lots of people shopping online means lots of passwords being entered on e-commerce sites, lots of forgotten passwords being reset, and lots of new accounts being created…
…often in a bit of a hurry.
WHAT IF YOU CUT CORNERS?
So, what happens if you cut corners, or are just feeling uninventive, and enter a short or easily-guessed password by mistake?
How hard will the average website try when it comes to protecting you from yourself?
For example, if you accidentally just press [Enter] and choose a blank password by mistake, will the website allow it?
Almost certainly not.
But what if you do the next worst thing and choose a very obvious password, such as 12345678 or baseball, or a very short one, like XYZZY?
It’s easy enough for a website to warn you if you make a truly awful choice, but a retail season survey by password manager company Dashlane suggests that even that doesn’t always happen.
The company claims that 56% of e-commerce sites it surveyed “allow users to have a password less than eight characters long.”
And 32% allowed users to choose passwords from a super-obvious list of ten passwords that come right at the top of any password cracker’s list:
password 123456 12345678 abc123 qwerty monkey letmein dragon 111111 baseball
Dashlane also claims to have tested how many times a website will let you guess incorrectly before taking some sort of action to shut down or limit the speed of further guessing.
Apparently, 36% of e-commerce sites “allowed 10 or more repeated logins without any secure measures being deployed.”
This just reinforces (or re-reinforces, or perhaps re-re-reinforces) the importance of learning how to Pick Proper Passwords.
After all, even if a website stops you making gratuitously bad choices, it may nevertheless let you get away with mediocre or average passwords.
Indeed, many websites (and some companies) try to define randomness, for example by having rules such as “you can’t have a password without a punctuation mark,” even if you chose aYTLZM5kp20vt9KO.
Ironically, that string is an encoding of about 95 bits’ worth of data straight from my Mac’s high-quality random number generator, making it a 1-in-10,000 million million million million choice.
Artificial complexity means that PassWord99! might pass muster, and be considered strong enough, even though a password cracking algorithm would try it long before it got to aYTLZM5kp20vt9KO, or even to the less orderly WordP9!9ass.
Other websites or services won’t let you have more than, say, 16 characters (Microsoft Outlook.com and Google Android both do this), so you can’t use a long phrase like algorithms get you only so far and then it's up to intelligence, even if that’s what you want.
FIGHT YOUR OWN PASSWORD BATTLES
In short, if a website tells you your password is weak, it probably is; but when it comes to creating passwords that are strong, you need to fight your own battles.
Keep our advice in mind:
1. Make your passwords hard to guess.
Avoid using details that are easy for other people to figure out, such as birthdays, nicknames, the names of your pets, songs or bands you like, and so on.
And don’t rely on trivial alterations, such as writing your dog’s name as r0ver or rover99, because password guessing programs try modifications of that sort early on.
2. Go as long and complex as you can.
If you add one letter (from A-Z) to a 10-character password, you make it just 10% longer to type and remember, but 26 times (that’s 2600%) harder to guess.
Choose an extra letter from A-Za-z and you make it 52 times, or 5200%, harder to guess.
You can also hinder password guessing programs by switching between lOWer and UppERCase letters, adding in d29igits and mixing in punc/;tua#tion characters.
But as we mentioned above, watch out for “predictable complexity” such as always and uninventively appending a question mark to comply with “must have punctuation” rules, or switching l3tt3r5 1nt0 d1g1t5 using only simple substitutions.
Some people prefer to pick multiple, unrelated words, like the famous XKCD password correcthorsebatterystaple, finding very long passphrases easier to remember and even to type.
But not all websites and services allow long phrases like this, and many insist that you mIX 1n o//ther characters anyway, regardless of your passphrase length.
3. Consider using a password manager.
Password managers can generate long and complex passwords on demand.
They can also automatically type them in for you at the right time, and can stop you from putting the password for site X into imposter site Y by mistake.
Password managers can also help you comply with the common rules that many websites impose, such as mixing in different types of character unpredictably. (A password manager can remember co*;m+@9-9$pli\cated as easily as it can remember c0mplic4ted!)
Just make sure you have a really strong password for the password manager itself, or else a crook could get hold of all your passwords at once.
4. One account, one password.
Use a unique password for each account: crooks who acquire one of your passwords will almost always try that password on all the other online services you use, just in case it lets them in.
Avoid using an obvious pattern, such as a common string of characters followed by, say, -FA for Facebook, -TW for Twitter, and so on.
If you can’t think up and remember unique passwords easily, use a password manager to do the hard work for you.
Don’t be the low-hanging password fruit this retail season.
To help you be more secure, now and into next year, here is a short and straight-talking video that goes through the points above:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
And once you’ve watched our tutorial video, here’s a short but funny video you can show to your IT guys if they have password “complexity rules” that really are just too darn’ hard:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
🙂 Enjoyed this one? Watch more Dave Malarky videos!
Anonymous
Xyzzy? You sure Graham Cluley didn’t write this article?
Andrew Ludgate
You forgot one thing: treat password recovery questions (“Mother’s maiden name” etc.) as if they were password requests, and supply answers accordingly.
Paul Ducklin
Good point. A password manager can help here – though you may want to learn the international phonetic alphabet so you can spell out AsFIw34QbbNEa8 over the phone if need be :-)
Bryan
Duck, I promise I’m not trying to be a smart ass (arse?)…
Sharing passwords is a no-no, and customer support can auth me with my name/address/ssn/else, so when would I need to phonespell a passwd?
Also, I’m curious if there is any (legitimate) reason for password length limits. I don’t mean limits of 2048 characters; I’m talking about those annoying sites that stop me after 14, 12, or even 8 characters. I suspect they’re either stored in plain text or hashed in antiquated ways.
Do we have a recent list of sites who limit password length or otherwise have poor security? Preferably a list that offers competitors who don’t?
Paul Ducklin
Microsoft (e.g. on the Outlook.com service) and Google (on Android) have 16-character limits. So the list of vendors you have to avoid if you want to boycott inane password length limits starts with those two:-)
I don’t know why there’s a limit. In the case of Microsoft and Google, I am sure it has nothing to do with antiquated hashing. In fact, IIRC, on Android your 16-character password is converted into cryptographic material via PBKDF2, so there is no theoretical reason for the limit at all. My guess is that these companies have decided that 16 is some kind of tipping point between diminishing returns on security (i.e. 16 “is enough”) and increased likelihood of forgetting it (i.e. 17 is “too many”). But I have never seen any evidence for that claim :-)
Bryan
Do you have a smart way to cross-reference answers to their respective security questions? Factual answers are easily guessed, and 1,000 good answers are impossible to remember.
I hit a page today that doesn’t even allow a period–rendering answers like “5%dqd835#9r(}u&hf94#$24gf44” out of the question. Still, I try to use answers at least a touch better than “dog name: Spot”
I’ve long held that “security questions” are a travesty of security, offering users false reassurance and strangers backdoors. Replies readable by anyone looking over the shoulder, they’re barely more secure than nothing–and worse when one considers the misplaced confidence they bring. Busywork masquerades as an extra password.
They’re more valuable of course as passwd recovery, but they’re not “additional security.” I would love to be shown wrong and dial back my cynicism a bit…anyone?
Years ago I thought I’d outsmarted the things. I answered all questions with “LumberghNeverWorksOnSaturday”**
True, it violates the “one account one passwd” rule, but since it can’t be gleaned from my trash at the curb (or Googling me) it’s still better than “123 Main Street,”** and as a reference to a film I love, it’s stickynote free.
Then the web pages once again assumed AI is smarter than people and began disallowing the same answer for all questions. Complexity and randomness overwhelming countless neurons I again need
1) legit answers I can remember or
2) to reset all questions each time I forget a pasword or
3) write down that my mother’s maiden name is “HanShotFirst”
4) better suggestion here
** names have been changed to protect the innocent
Paul Ducklin
For me, the absurd thing about password reset questions is that they *are* passwords, yet they are somehow immune (in many services) to received wisdom about secure handling of passwords, notably that they are stored in plaintext, and various aspects of complexity are, as you say, cancelled out – e.g. spaces ignored, letters converted to lower case, punctuations banned or ignored. So even very short text strings *might* match your “password”, simply because you included complexity that was effectively discarded.
And this business of forcing you to pick from a small number of questions with obvious answers – what was the name of your first pet! where did you live 10 years ago! crazy stuff! – is equally reckless IMO.
Bryan
agreed on all points. back then I was naive enough to think I had a chance at changing status quo on the ridiculous measure. I explained to the CSR that it’s simply an extra password–but one that can be seen over my shoulder–so how do I opt out?
Naturally even if it were possible that was not the avenue to get there. Frustrating to say the least.
I’ve actually considered password managers lately. Do you have recommendations? I have a few concerns, highest among which is the conflict between placing faith in cloud security administered by unknown parties and a portable mechanism for accessing my 29 billion passwords from unfamiliar locations.