If we've learned one thing from this Yahoo hack, it's that even after countless blogger and security expert pleas for smarter choices, people continue to create amazingly obvious passwords, leading us to wonder if they might be doing it on purpose. And if so, bravo!
In today's Yahoo Voices breach, for example, the most popular choice for account security were the now familiar most popular password when logins are breached: "123456" followed by "password." At face value, it's hard to see these password pickers as smart. They would be regarded by experts and any half-seasoned Internet user as incredibly weak passwords. And it's fun to laugh about the fact that there are some truly unskilled individuals left in digital humanity. These computer users should have already learned the importance of password safety from years of menacing hackers. If not, then last month's LinkedIn or eHarmony hacks should have resonated. But maybe these password pickers have learned. And they're the ones laughing, having picked those dumb passwords with full awareness of the online password situation.
General Internet thinking says the best way to ensure online safety is to pick different "strong passwords" for all your Internet selves and then change them often. That, as this XKCD comic illustrates, is exhausting and often counterproductive.
For some things, we want crazy, hard to guess (and hard to remember) passwords. Like, for our online banking accounts, or our email, which can be used to reset so many of our other passwords. But just as people use flimsy locks for their luggage and big hulking deadbolts for their front door, not all passwords need to be the same strength. As The Atlantic's James Fallows taught us after a Gawker password leak compromised the security of his wife's Gmail account, the biggest security threat of these passwords dump is if you use the same password -- strong or weak -- for everything.
Not all passwords we use are meant to keep us safe. Often they're just to verify to a server who we are. When it first launched, the widely used reader app Instapaper didn't even use passwords: you just entered your email address and it would show you your list of saved articles. If you're checking out Lady Gaga's Little Monsters site, or you want to take Rebel Mouse for a spin, you might want to pick something quick and easy because you have no intention of using these sites very often if ever again. Or, the same tactic might apply if you just want something to get you past the New Yorker or Wall Street Journal paywalls, since getting through the gate doesn't lead to anything too personal. In these situations, that's a smarter move than using the same password you use for Gmail. Since passwords should differ, it makes sense that the bottom of the totem pole sites get weak, disposable passwords. Especially at places that have weak security, like Yahoo Voices, where some hacker group is bound to game the system anyway.
Some might call this defeatist, but we call it practical. The other way to ensure perfect security is to pick a lot of different 14 character long codes. The bigger and more complicated the password, the harder to hack, obviously. But there is a point when passwords go from possible to very impossible to game. For example, a 14 character password, even with all lowercase letters, would take a brute force hacker 2,046 millennia to crack, explains one hacker on his personal blog OneMansBlog. "Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries," he adds alongside a useful chart of how long it would take to hack certain types of passwords. So, you could just make even your most mundane accounts that you might only log into one time different long, complicated strings, adding more asterisks just in case. That would work. Of course, you shouldn't write down that impossible to remember code. And isn't a password forgotten like having no account at all?