The subject of passwords is one that is both fascinating and frustrating to me. We know that it’s getting easier and easier for hackers to crack our passwords; just three years ago, a nine-digit password would take 44,530 years to crack, but today that same password can be cracked in less than a day, according to Passfault. And yet, when I mention this in speeches that I give, lawyers invariably give a heavy sigh, roll their eyes, and promptly tune out. I know what they’re thinking: “12 digit password? It’s hard enough for me to remember the name of my dog and the numbers 123!” The idea of coming up with a different, really complicated password for every site we visit is just too overwhelming for most people – so they continue to use the same short, repetitive, simple passwords they have used for years.
So we shouldn’t be surprised to find out that the retailers where we set up our passwords are acting as enablers, allowing us to continue this practice of weak password-setting. In a new report out from password manager service Dashlane, the company found some pretty amazing practices among the Top 100 online retailers. Among the findings:
- 55% of the stores still accept notoriously weak passwords like “password” and “123456” (seems like if the other 45% don’t allow it, this should be a simple problem to fix)
- 51% still allow you to keep trying out password after password even after 10 unsuccessful attempts. What this means is that the “brute force” hacker can keep beating away on the lock, until it finally finds a password that will unlock the door.
- 61% do not provide any guidance when setting a password, and 93% do not provide a password strength assessment. I would guess that those Password Strength meters are able to shame at least some people into setting a stronger password.
Interestingly, most of the sites mask your password as you enter it, which actually does very little to secure it – as a general rule, the password blank on a website is not unsecure, unless someone is looking over your shoulder as you enter it.
Security Expert Steve Gibson of Gibson Research Corporation took the data and put it into this great spreadsheet. Take a look and see how your favorite online retailer fared. Spoiler alert: it doesn’t look too good for Amazon, Walmart, or Dick’s Sporting Goods.
There’s no good solution to this problem yet, but it’s not for lack of trying. Google declared last year that “Passwords are Dead,” and companies are already using fingerprints, pictures, and even winking to avoid password-based access, with mixed results. Google talks about eventually moving to hardware token-based authentication, but we’re not there yet. Two-factor authentication is also a good way to secure access to websites – but try telling that to a lawyer who already has to remember a complex password. “Now you want me to use a 6-digit number on top of a password?”
So what do lawyers do now? I’ll come back to the best, easiest way to create and manage secure, complex passwords: the password manager. There are several password managers out there, including:
I’m not going to spend time comparing these tools with one another – although I’m partial to LastPass and 1Password, all of them will do a good job helping you to select and manage passwords. Just pick one and start using it.
In the next post, I’ll show how I use LastPass, so you can see how the workflow is easy and fast once you get the hang of it. In the meantime, let me know what you think – is this an issue that’s being blown out of proportion? If you don’t use a password manager, why not? Share your thoughts in the comments.