Our collection of dangerous password habits
When you log in to Facebook, Instagram, or any other site requiring login, how do you do it? Do you faithfully recite all 8 to 9 characters of your password? Or do you opt for your browser’s automatic login keychain? If you behave like 86% of internet users, Pew Research password statistics show you memorize your passwords.
While conventional password-creation wisdom has taught us to include special characters, use a mix of upper and lowercase, and toss in some numbers, what if your password complexity doesn’t matter? Further, if we constantly create insecure passwords, or just reuse the same one…
…what other risky habits have we fallen into?
Let’s start with some simple advice.
Don’t Share Your Computer. Ever.
Across collaborative environments like college campuses, people commonly share their computers with one another. For example, if I’m working on a group project with you, and you have a document open on your screen, I might ask if I could change something directly on your computer. You might look away at your phone, and it would take me only a few seconds to find your password… but how?
With four easy steps:
1. Go to a site with login. I would choose a site you probably use the same password on as other accounts. If you’re logged in, I’ll just log you out. Perhaps Twitter?
2. Autofill your credentials. This is either part of your browser’s keychain (which automatically fills in your credentials), or a site-specific “Remember me” checkbox.
3. Inspect the password input. If you are using a browser with Google Chrome DevTools (such as Google Chrome), you can just right-click in the password area and click “Inspect”.
4. Modify input type to text. You should see an
<input.../> HTML element highlighted in your inspector window. HTML is a programming language that describes how a website should be structured, including password input fields. Double-click on
"password" in the
type="password" attribute, and type
text so it looks like:
And then click Enter.
Voila! I have exposed your now-not-so-secret password.
Disclaimer: Obviously, you should never actually try this tactic on someone. I’m only demonstrating how quickly and easily someone with direct access to your computer could harvest your credentials.
So be cautious!
This example also relates why you should always use an “incognito” browser window when accessing sensitive information on someone else’s computer. The owner of the computer could travel back into their browser history, and either login into your account, or just change the “type” attribute in the html input element from “password” to “text”. At the very least, you should reconsider both using your browser’s keychain, and just leaving your computer open and unlocked for others to use.
What could be worse than a breach on your Twitter account?
Your Email Linchpin
Correct Answer: A breach on your primary email account.
Your email facilitates communication, authentication, and confirmation with many other online applications. You sign up for a website, and you receive a confirmation email. Forget your password, and you receive an email to change it. If it’s gmail, then you can also login to other sites using your gmail account. In short, your email password unlocks your other online accounts, especially if you are one of the estimated 43–52% of people who reuse passwords on multiple sites.
If you lose access to your primary email, you lose the master key. To your contacts. Your finances. Your life.
Worse, our password problems seep much deeper than pure irresponsibility.
Humans suck at unpredictability. We follow patterns, use languages that follow patterns, and create passwords that follow patterns. You can peruse a comprehensive list of observed patterns from 10 million leaked passwords. A hacker can easily construct algorithms to try passwords with purely English words and numbers. Introducing randomness will certainly protect against patterned attacks, yet randomness alone will not increase your password’s overall strength.
But do not fear! Password length can help save our online peace of mind.
Length > “Complexity”
Memorizing passwords conveniences us, but a password short enough to memorize no longer remains secure. For proof, I’m putting Princeton’s Department of Computer Science password advice on the spot:
Using a password strength analyzer created by a popular password management application, I received the same result for all of Princeton’s listed passwords:
13 hours?! But it’s so complicated! What if I try mirroring the password to increase its length? Then we see:
Try adding more letters at a time yourself. You’ll realize that the time needed to crack your password increases exponentially with each letter. Longer lengths protect against computers just “brute-forcing” shorter passwords — attempting all character combinations up to a specified length.
But with randomized, longer passwords for every website, how can you even keep track of them all?
A Simple Solution: Password Managers
When you do decide to (finally) stop using your browser’s keychain, you need a place to remember all of your passwords. Especially since now your passwords will be much longer with randomly-selected characters (I hope). Password management software creates strong passwords and stores them securely. Popular applications include Dashlane, LastPass, Keeper, and others. While most password managers do cost money, someone hacking your bank account remains your alternative. People might argue: with this much hassle, passwords no longer present reliable authentication. But for now, we’re stuck with them.
So make sure to construct and guard your passwords wisely.
Your digital life depends on it.