For a Safer Internet We Need to Solve the Password Problem

February 7, 2019 – I have more than 30 different passwords for the many online activities I engage in. I use elaborate mnemonics to try and remember all of them because security companies tell you never to write these important strings of letters, numbers, and symbols down. But most of us don’t go nearly that far in managing passwords, and that is what makes the Internet less safe than it can be.

February 5th was Safer Internet Day, set aside to educate the public about cybersecurity risks. A Harris Poll commissioned by Google indicated that 65% of Americans use the same password on multiple accounts. It’s understandable but it is also a vulnerability. Why? If a password is stolen from one of your accounts then a hacker can use it to try and access all of your other password protected sites. That could be your bank, your credit cards, your WiFi key, your health and insurance information, and more.

Remembering different passwords is considered by 60% of those polled by Harris and Google to be the single most significant point of pain. That’s why a single password gets used more often than not for many different online sites and applications.

So what to do? The simple answer is to create unique passwords for every online application. But for a person my age, now 70, trying to remember all those passwords usually leads me to repeatedly attempting to get into one or more of my online accounts with multiple attempts because my mnemonic memory fails me.

Do we all need to become security experts if we want to continue to use the Internet? Obviously not.

Stealing passwords these days seems to have become a profitable business. It doesn’t seem that a week goes by without an embarrassing story appearing in the news about a major bank, corporation, online service, or application, in which millions of passwords and user identities have been stolen. It’s happened to Equifax, Facebook, LinkedIn, Yahoo, Google+, Macy’s, Adidas, Sears, Kmart, Delta Airlines, BestBuy, Saks Fifth, Lord & Taylor, Whole Foods, Panera Bread, Arby’s, and Sonic – many of these just in the last year.

For those of you who continue to use “password” or “12345678” as your means of securing access to the Internet, I have no sympathy. But for the rest of you, I realize just how intimidating the idea is to remember so many different combinations of numbers, letters, and symbols. Having said that you owe it to yourselves to recognize the vulnerability of using the same passwords for different accounts because once cracked by a hacker, everything you do online can be leveraged or stolen.

Popular Mechanics published an article back in 2013 called “Solving the Password Problem.” In it, author Rachel Z. Arndt wrote: “It’s not all that hard to turn a mediocre password into a great one.” She went on to show a progression from a vulnerable to an invulnerable password and the estimated time to crack:

• Password: Aquarius, Time to Crack: 9.08 minutes
• Password: Aquarius1, Time to Crack: 1.59 days
• Password: Aquar$ius1, Time to Crack: 19.24 years
• Password: Aqu56ar$iu3s, Time to Crack: 17,400,000 years

Another route to go is to use a password manager. These are programs designed to automatically fill the username and password for sites where you have accounts. These tools come in free and premium versions and can store the details of your login information on your local hard drive or on one of their own secure servers. A short list of password management tools follows:

• LastPass – secures and stores user IDs and passwords across browsers and for any Internet device. You create one master password and it manages access to every application and online account you have. The premium version adds secure cloud storage and contingency plans to give designated individuals access to your account information in the event of an emergency.
• Dashlane – protects all logins, passwords, payment information and other personal data on the web. It includes a business version to help secure the sharing of information within a company, and with customers and suppliers. The free version stores up to 50 passwords using one device. The premium version has unlimited password storage, syncs across multiple devices, and offers virtual private network (VPN) connectivity when using unsecured WiFi access points like an Internet café hot spot.
• RoboForm – has been around since 1999 to automatically manage passwords and logins to websites. Using RoboForm2Go you can bring the technology with you anywhere using a USB or U3 key. I currently am test driving this password manager.
• KeePass – is an open source secure password generator that requires a little more work on the part of users to download and install. It can run from a USB key and supports a wide range of browsers and files. Because it is open source the user community is constantly contributing improvements and addressing any security issues that come up. I wouldn’t recommend it for a first time password manager user.
• Sticky Password – is a product developed by AVG Antivirus, a free virus protection provider that no doubt some of my readers use on their systems. Sticky supports fingerprint authentication on mobile devices and can be run from a USB key. If you buy the premium version a portion of the fee is donated by the company to save manatees.

For additional password managers check out this link.

Note that I introduced the term VPN in my description of the Dashlane password management tool. VPNs are usually associated with corporations to provide secure access to an office network from remote locations. But now you can purchase a personal VPN for as little as $3.33 USD per month. What a personal VPN does is hide your Internet activity from public view. By providing secure protection and fail-safe kill switches, your online browsing and account usage remains private. VPNs employ military-grade encryption so password and user IDs are no longer a challenge. If you want to go this route, check out PureVPN.

And finally, a word about artificial intelligence (AI) and password security. Perceived as the latest threat are machine learning system tools that are getting very good at predicting the passwords we choose to use. How good? In a recent experiment conducted by researchers at the Stevens Institute of Technology, ETH Zurich, and the New York Institute of Technology, a deep learning password guessing tool was able to figure out up to 73% of passwords used from a sample of LinkedIn users. All the more reason to consider using a password management tool that protects you from AI assisting the next generation of hackers.