I wish my clients didn’t keep telling me their wife’s, kids’ and pets’ names.
Don’t get me wrong. We ARE best friends from day one. No, my concern is that photographers seems to take an astonishingly lax attitude to password security. Yet as small business owners they have so much to loose should things go wrong. By using their wife’s name as their password, they are playing Russian roulette with their online photo archives, their client list, their website, their bank accounts, their reputation and more.
Put simply, family names, dictionary words, countries, “123456”, “password” and “qwerty” don’t make good online passwords. Even simpler: if your password is easy to memorize it’s probably a bad one. My advice: use specialized software to generate strong passwords and store them securely.
There are many technological and non-technological ways an ill-intentioned person can get hold of your login credentials. One of them is known as a ‘brute force attack’: an automated process of trial and error used to guess the “secret” protecting a system. Picture a powerful computer entering every word in the dictionary, every first name and then variations on them in your account login form. This is (probably) what happend to Twitter in 2008 when 750 user accounts were hacked.
Password reminders or so-called “security questions” can make it even easier. According to the Web Application Security Consortium:
(…) if the personal detail is “favorite color” then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color (…).
Need more? A recent study of a 32 million user password breach at RockYou, a Facebook application developer, found that the most common password, by far, was “123456”, followed by “12345”, “123456789”, “password” and “iloveyou.”
There are tricks to make secure passwords memorable but I find they require more work than suits my brain. I much prefer to use a specialized password management utility.
There are a number of them. I use 1Password (Mac/Win, $39.95) and I highly recommend it. It’s simple and intuitive to use. It stores your usernames, passwords and other sensitive information on your computer, not on a remote server. It constantly gets great reviews).
And disable password storage by your browsers. As practical as it is to let your browser store your login info, they are very vulnerable. Even if the application encrypts the account information, it does so with a static key that can be easily deciphered. So turn it off and let 1Password or whatever tool you choose do the work.
There is plenty more you can do to secure your accounts but this is a good start.
*** UPDATE May 4th, 2015 ***
In an interesting blog post Jeff Atwood explains that massive computing power available to those who want to crack passwords means that longer passwords are safer and that “safe” starts at 12 characters.
Here are the results of a cracking scenario he tests:
|8 characters||1 minute|
|9 characters||2 hours|
|10 characters||1 week|
|11 characters||2 years|
|12 characters||2 centuries|