Hacked passwords can compromise company data security. Strategies for creating the best passwords
"Breaking: Bill O Reilly is gay." That message was sent from the Fox News Twitter feed in January. A hacker had broken into Twitter's systems, thanks to a weak password chosen by a Twitter employee. By using a so-called dictionary attack -- a program that guesses passwords by systematically trying every word in the dictionary -- the hacker had figured out a Twitter employee's password: happiness. After gaining access to Twitter's systems, the hacker leaked the passwords used by Fox News and several celebrity Twitter users, including Britney Spears and Barack Obama. Some of those Twitter feeds were subsequently filled with obscenities and links to pornography.
Then, in July, another hacker broke into a Twitter employee's personal e-mail account and was able to find a password the employee used for several Web services, including Google Apps, which Twitter employees use to share private company documents. The hacker then forwarded the sensitive information to a popular technology blog, which published many of the documents, including notes from company meetings.
As Twitter learned the hard way, data security measures are useless if a hacker manages to get an employee's password. And yet most people are pretty lazy when it comes to passwords. Security experts recommend using a different password for each application, but a survey by Sophos, a security firm, found that 81 percent of respondents used the same password for multiple sites. About a third of them used the same one for everything.
Many people use very simple passwords: Two of the most commonly used are password and password1. Others tend to choose easy-to-remember words or dates. These weak passwords are no match for a dictionary attack, say security experts. Automated password-cracking tools can check more than a million password variations in 28 hours. Passwords composed of random strings of uppercase and lowercase letters, numbers, and punctuation, such as J, can usually withstand an attack, but those are tough to remember.
Fortunately, there are some ways to create strong, memorable passwords. Two words connected by a number can thwart many dictionary attacks. So can using a full sentence, such as Jane Smith's Salesforce login is password, or a line from a song or a nursery rhyme. For online applications that cap password lengths, try a mnemonic, or memory aid, such as an abbreviation. For instance, take the first letter of each word in the phrase Jane Smith's Salesforce login is password. Then, to make it stronger, add an 's and substitute the number 1 for the letter l and an equal sign for is. You get JS'sS1=p, a very good eight-character password. Other tricks for strengthening abbreviation passwords are to swap an @ sign for an a and the number 3 for an e. You can vary this formula for each application you use.
Vaclav Vincalek, president of Pacific Coast Information Systems, an IT and security consultancy in Vancouver, British Columbia, uses a different mnemonic. He picks a pattern on his keyboard, like the triangle formed by the c, 6, and n keys. He enters the keys of the pyramid twice: once in lowercase, once in uppercase.
If you still have trouble remembering passwords, there are some technological fixes. Bruce Schneier, a security expert who is chief security technology officer at BT, a telecom company in the United Kingdom, created Password Safe, a free program that stores passwords. Now, he needs to remember only one password -- the one for Password Safe. Other password vaults include RoboForm and Mitto.
Some programs -- Passlogix, Imprivata, and myOneLogin -- let companies manage employee passwords for applications inside and outside the firewall for as little as $3 per user per month. Such programs tout their ability to give workers a single sign-on, one login for access to their corporate network, e-mail, and applications.
There's also software that keeps tabs on whether employees use strong passwords. Password auditing programs such as L0phtCrack, which costs $295 and up, apply various hacking techniques to check user password strength. More sophisticated -- and more costly, at $13,000 and up for a software license -- security tools such as Cloakware, Cyber-Ark, and e-DMZ Security can bar an employee from using the same password for, say, logging in to e-mail as for checking the company financials.
If that sounds too complex, Schneier recommends a low-tech solution: Write your passwords on a sheet of paper and store it in a safe place. Hackers are less likely to break into a locked desk drawer.