This story on stolen passwords caught my attention for a couple of reasons. First, it is from my hometown newspaper, and secondly, I found it moments after seeing a CNET article referencing a Symantec survey on how often we change our passwords. The result: not very often. The survey found that 63 percent of respondents don't change their passwords very often and 44 percent alternate the same passwords on a variety of accounts.
I totally understand why people want to use the same password for multiple accounts. I fall into that group of 44 percent who have more than 20 accounts that require passwords, and I'm sure I'm like a lot of computer users: Some accounts I log into daily, making the password easy to remember, but others I access once every couple of months, and I struggle to remember what password I created for a particular account. Based on my own experiences and conversations with people in different businesses, most people not only access work-related password-protect e-mail accounts, databases, and files, but also will log into bank accounts, Facebook, and personal e-mail on their business computers.
As it states on the Symantec blog:
The fact is, hackers can get through any password if they're given enough time. Your goal should be to make it as painful as possible for them. The name of your child or pet is not going to accomplish that, regardless of how much you love them or how much you like their name.
Hackers use a couple of methods to get past passwords. If they don't try to trick the computer into letting them through, they use software called "brute force dictionaries." This software makes as many attempts as necessary to guess the password. Unfortunately, 123456 and HHHHHH are not going to take long to stumble upon.
Not to mention, similar or re-used passwords make it all that much easier to break into multiple accounts.
There are a number of suggestions to better protect passwords that can be instituted at the enterprise level for both employees and customers who need to log in to use your services. They include:
The security reality of keyword loggers and the pervasiveness of other invasive malware mean that it remains an important practice to enforce regular password changes.