May 02 2014

Password Evaluation in a Post-Heartbleed Web

Striking a balance between complex and memorable passwords can be tough.

With decryption software and hackers on the prowl and security sinkholes like Heartbleed popping up without warning, you simply can’t hide behind “password1” anymore.

The Heartbleed exploit reportedly has been neutralized by OpenSSL patches, and online security experts are recommending users change any passwords on sites affected by it — which means now is a good time to re-evaluate the logic behind the passwords you use on a regular basis.

Just a few keystrokes keep hackers away from your most personal information. So, what makes a good password?

Google recommends keeping distinct passwords for each of your accounts. This limits your exposure should one password be compromised. Some sites also allow users to enable two-factor authentication upon each login, further complicating any hacking attempts.

Diversifying a password with numbers and punctuation ensures they can’t be easily guessed, and it slows down potential cracks. But this practice tends to create passwords that are difficult to remember.

PCMag suggests phrase-based passwords that are easy to remember. Avoid using easily guessable dictionary words, and instead use mutations of phrases with numbers and punctuation (for example, L@dyG@g@!). But mutate too far, and you’ll have a password you can’t remember.

It’s also good to review your password storage practices. CDW security engineer Dave Russell warns against storing all passwords in a password-protected spreadsheet. They just aren’t secure enough to safeguard hacking attempts, he says.

“Even password-protected, these documents are at risk of compromise — some vendors even claim that they can crack these protected documents “almost instantly,” Russell says.

Longer, Not More Complex

A 2011 report from Carnegie Mellon University on the subject of password creation concluded that shorter, more complex passwords were the hardest for users to create, due to elaborate rules requiring different cases or punctuation marks. Often users just gave up, according to the report.

But these tough passwords weren’t necessarily the best. When tested, longer, simpler passwords were the toughest to crack. Specifically, 16-character passwords — even those with lax requirements — were much more difficult to crack, Ars Technica reports.

Think you’ve got a good idea for a password now? Put it to the test using this Microsoft site.

An alternative strategy quickly gaining popularity is a password management service, such as 1Password or KeePass. These offer a way to keep a complex array of passwords in a vault accessible with a single password. Just keep that magic phrase to yourself.

If you’ve forgotten your password, can’t recover it or think your account has been compromised, the contact information you provided may be your last line of defense. If you haven’t updated your information in a while, now would be a good time to check your accounts.