Data Privacy Day: Passwords are broken but here are partial fixes

By Larry Magid

Thursday, January 28th was data privacy day, but if you missed it that’s OK. Every day is a good day to pay attention privacy and security.

Broken passwords

Just about everyone I know in the tech security field agrees that passwords are broken. They have the unique distinction of being hard for legitimate users and easy for hackers. As hard as it is for us to remember and use our passwords, it’s relatively easy for bad guys to guess them, steal them or circumvent them. We’ve already seen massive password theft with attacks on Sony, Time Warner Cable and many other organizations, including government agencies and schools.

Security experts recommend that you use long passwords (at least eight characters more is better — some say 14 or more) and that they not be dictionary words, real names, birthdates or anything else that can easily be guessed by humans or software.

Later I’ll tell you some tricks to create a relatively strong password, but even if you use these, your passwords are not 100 percent secure. There are ways to steal or break even the most secure passwords, though having a secure password greatly reduces the chances of someone breaking into your accounts, just like locking your door protects you from most thieves, even though there are ways to break or pick most locks.

Dual or multi-factor authentication

One way to greatly strengthen your password is to enhance it with another authentication system. It’s called “two factor” or “multi-factor” authentication and it works the same way your ATM card does. Access requires something you have and something you know. The most common form of dual factor authentication, supported by Google, Facebook, Apple and many other companies, is requiring that you access your smartphone before you can use a site from an unknown device. In some cases, you get a text message with a code that you have to type in before you can access the site. Others require that you use an app on your phone to provide permission when logging on to another device. Either way, you need to have physical possession of your phone as well as your password to get in.

To avoid annoying you constantly, most dual factor authentication schemes only kick-in when you are using a device or a browser that you haven’t previously used with that service. That won’t prevent someone who has access to your PC or phone from logging in if they know your password, but it will make it considerably harder for a remote attacker to break in, which is the main risk that we worry about.

Dual factor authentication can add a little more hassle and if you clear the cookies from your browser, you may have to use it even if it’s from a device you’ve used before. You may also be required to use dual factor authentication if you’re traveling and, speaking of traveling, there could be times when you don’t have access to your phone such as when you’re out of the country or if you can’t find it or if the battery dies. That’s why there is usually a backup code that you’ll need but it’s typically a long sequence of numbers that you’ll need to write down and carry in your wallet.

Writing it down may not be as dangerous as you think

Speaking of wallet — you may have heard that it’s dangerous to write down such codes. And while there is the remote possibility that someone could steal your wallet, find the code, figure out what it is and use it to break into a site, that is a lot less likely than a hacker somewhere far away breaking a password. If I do write down codes, I try to obscure them as if they’re phone numbers or serial numbers.

There are also special devices or “keys” that can be used for verification. Palo Alto- based Yubico has a number of solutions, including its YubiKey Neo that’s a USB key plus NFC (near field communications) capability so that it works with some tablets and smartphones as well as PCs and Macs.

Someday we won’t need passwords

Eventually, we won’t need passwords or authentication devices. Already newer phones from Apple, Samsung, Google and others have fingerprint recognition. You still need a PIN or a swipe pattern as a backup but — in my experience — the fingerprint readers work quite well. Fingerprint recognition is just one form of biometric authentication including facial recognition, iris scanning and more. A 2015 report by Goode Intelligence predicts that it will become the predominate means of authentication for the banking industry by 2020, leading to a $5.5 billion market for companies delivering solutions to banks.

In the meantime, there are some things you can do to make sure your passwords are as strong as possible. Passwords should be relatively long and include upper and lower case characters, symbols and numbers. Never use names or dictionary words. Never use the same password for multiple sites and change them every few months or when you think you may have been comprised. It sounds daunting but here’s a trick that can help. Think of a phrase that only you can remember like “I started 7th grade at Lincoln Middle School in 1972” and use the initial of each word like this:

“Is7gaLMSi#1972.” And make them at least a little different (by adding a couple of unique letters) for each site. On some sites you might even be able to type in the entire phrase.

There is more advice on how to create and manage passwords and use password managers and other authentication tools at