Think your internet password is safe? Think again… – The Independent
Until the beginning of this month, I used one tinpot password for pretty much all my activity online. Eight characters long – without numbers or symbols – its prime value was sentimental, the product of a relationship that started in the era of the floppy disk. Then paranoia struck. On 1 February, 250,000 Twitter passwords were stolen by hackers. Had the hackers cracked mine – and found their way to the Gmail and bank account daisy-chained to it – well, they wouldn’t quite have been able to retire, but the fear (and raunchy spam I’d been a vessel for) was enough to spook me into a radical overhaul of my online security.
I won’t pretend this is a dramatic tale. It is, however, a drama relevant to many garden-variety internet users. As work and social life shift on to the internet, and people freight their profiles with more valuable data, there’s growing consensus that passwords – ‘icecream’, ‘tomcat’, ‘loveyou’ – are no longer up to the job of keeping out intruders (be they 14-year-old ‘script kiddies’ or state-sponsored agents). Passwords can be forgotten, guessed, tricked or stolen from databases. Bill Gates was among the first – almost 10 years ago – to pronounce them “dead”; now the reedy voice of Microsoft’s founder has been joined by a chorus of hundreds – from hacked individuals to governments to Google itself.
These password-o-phobes foresee higher hurdles. More complexity. Biometrics. Soon, many hope, you will sign in to your bank or email via fingerprints, voice recognition or the veins in your palm.
Alarm bells have been ringing for security professionals more or less continuously over the past three years. In 2011, the number of Americans affected by data breaches increased 67 per cent. Every quarter, another multinational firm seems to trip up. PlayStation was a larger casualty, forced to pay $171 million (£112.8m) to protect gamers after its network was broken into. Before Twitter went down, 6.5 million encrypted passwords were harvested from LinkedIn, 250,000 of which later appeared ‘cracked open’ on a Russian forum. (‘1234’ was the second most popular choice; ‘IwishIwasdead’ and ‘hatemyjob’ appeared on one occasion each.) Now all these once-precious words have been added to gigantic lists that hackers can spin against other accounts in future attacks.
It seems security fears spread best, however, from person to person. Late last year, Wired published a cri de coeur from writer Mat Honan, detailing how hackers destroyed his digital life in an attempt to steal his prestigious three-letter Twitter handle, @mat. Much of Honan’s work – and pictures of his newborn child – were wiped. Dire warnings (“you have a secret that could ruin your life… your passwords can no longer protect you”) punctuate the report – and in the two days after it was published, a quarter of a million people (myself included) followed Honan’s advice and signed up for Google’s two-step verification process.