Lately, I've been thinking a lot about passwords. Several of my friends and colleagues have had personal passwords stolen somehow, and their email accounts were broken into. For some reason I can't understand, the password thieves have used the stolen email accounts only to send links to malicious websites to various people on the victims' contact lists. Seems to me they could do a lot more damage. After all, isn't it kind of obvious that a friend's email account has been hacked when you receive a message from his address that contains nothing more than a seemingly random URL?
In any case, these account takeovers have led me to wonder how the passwords are getting stolen. At first, I assumed the victims chose easy-to-guess passwords (like a variation of their account name, or the word "password," or something simple like "letmein"). But as these account takeovers have occurred more frequently, I've questioned my acquaintances about their passwords. Most have assured me that they chose complex passwords. So what else could be happening? I suppose keyloggers are not out of the question, but the people I asked told me they run current antivirus software and keep their applications up to date. Perhaps the attackers are going after the password databases directly. But we're talking about major email service providers, along with other well-known places like Facebook. Could all of those providers have been breached and their password databases stolen? Or maybe the attacks are against the password reset mechanisms. Who knows?
The only thing I know for sure is that passwords are being stolen, somehow. And the victims come to me for advice, regardless of whether they are friends and family or professional colleagues. What can I tell them?
The best advice I can come up with is to choose longer passwords. The longer, the better. I tell people to pick two or more words and string them together, preferably with a number or punctuation mark in between. This is commonly referred to as a passphrase, rather than a password (to distinguish the technique by its length). Time will tell how well this technique foils the attackers.
Frustratingly, I've found that my own webmail provider won't take a password longer than 15 characters, and my in-home network equipment (made by a major manufacturer) can't take more than 12. That seems like a foolish limitation, and it constrains my ability to mandate longer passwords in the workplace. I'd like to make a security policy statement about making the minimum password length more than the age-old eight characters, but first I'll need to find out what each technology will support. I'd like to require passphrases of at least, say, 16 characters at my company, but I can't do it if the limitations of the authentication systems we use will make my policy unsupportable and unenforceable.
Sign up for CIO Asia eNewsletters.