If you think a jumble of letters and numbers can keep you safe online, think again. The password as protector against internet intrusion is all but dead, fatally crippled by human fallibility and the forces of crime, malice and mischief arraigned against it.
Since Bill Gates warned in 2004 that passwords were nearing the limits of their utility, the idea that even ''strong'' passwords can ward off cyber marauders has been exposed as delusion. Millions of customers of big web brands such as Sony PlayStation, Yahoo!, LinkedIn, Gawker, Evernote and eHarmony have had their login details stolen or posted online.
''We have pretty well established that passwords don't really work,'' says Graham Ingram, who manages the University of Queensland's Australian Computer Emergency Response Team. ''The problem is we don't have a viable alternative. You are not protected and frankly you can't protect yourself.'' Hack methods have become so sophisticated that ''for most people it is a matter of time before they get done''.
''Anyone who runs a website where they have any form of account security will be dealing with compromised accounts on a daily basis,'' says Alastair MacGibbon, director of the centre for internet safety at the University of Canberra.
Most online frauds rely on password manipulation to penetrate accounts, says Detective Superintendent Col Dyson, commander of the NSW Police fraud and cybercrime squad. He says Australians have a ''very laissez-faire attitude towards security, until they are bitten''.
Chris Gatford, whose consultancy HackLabs is paid by companies and organisations to break in and expose their security flaws, says cracking passwords is method No.1, and ''Password1'' is the most common password in clients' cracked databases. HackLabs uses a technique popular among hackers called ''socialling'', which involves researching employees so as to guess their passwords, persuading service providers to reset them and tricking employees into revealing passwords or clicking on rogue links. Social media profiles, postings to chat rooms, associations with sporting or other interest groups all give clues.
Free online software tools that use algorithmic search programs to automate password cracking are so accessible, effective and quick that ''any idiot can do it'', wrote Wired senior writer and hack attack victim Mat Honan.
Most of his personal digital history, including every photograph he had taken of his 18-month-old daughter, was erased from all his devices within an hour by a hacker who ''socialled'' him, despite his having robust passwords.
Using the same password for several accounts is the biggest mistake but most people make it, Mr Dyson says. In time passwords will become just one of several account locks. Increasingly, organisations such as eBay and Amazon and banks require two-step verification, where you enter a code sent to your mobile or a pre-issued security token to complete the login.
Sign up for CIO Asia eNewsletters.