Kill the Password: Why a String of Characters Can't Protect Us Anymore | Gadget Lab | Wired.com
Eric Barker stashed this in Security
Mother of God, this sucks:
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
I'm with him. This sucks. We need a better way.
How to survive the Password Apocalypse
Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
Use a dictionary word as your password. If you must, then string several together into a pass phrase.
Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like [email protected] it can’t be easily guessed.
Teenagers are very inventive:
But teenagers are, if anything, scarier, because they’re so innovative. The groups that hacked David Pogue and me shared a common member: a 14-year-old kid who goes by the handle “Dictate.” He isn’t a hacker in the traditional sense. He’s just calling companies or chatting with them online and asking for password resets. But that does not make him any less effective. He and others like him start by looking for information about you that’s publicly available: your name, email, and home address, for example, which are easy to get from sites like Spokeo and WhitePages.com. Then he uses that data to reset your password in places like Hulu and Netflix, where billing information, including the last four digits of your credit card number, is kept visibly on file. Once he has those four digits, he can get into AOL, Microsoft, and other crucial sites. Soon, through patience and trial and error, he’ll have your email, your photos, your files—just as he had mine.
Give someone enough time and s/he can break into anything.
The age of the password is dead:
The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.
That last point is crucial. Multi-factor authentication is really important going forward.