Think your password's strong enough? Think again
Updated by Endah
Can any password ever be strong enough?
About 233 million people - somewhere between the populations of Brazil and Indonesia - may well be asking that question right now. That's the number who have accounts on eBay, the world-beating DIY auction site. Their question tells much about this fascinating moment in the history of e-commerce.
This week, it emerged that hackers had compromised a big cache of eBay accounts. eBay said no financial information had been compromised - but it strongly suggested everybody change his or her passwords anyway. Then it offered some rather goofy advice about "a good, secure password." But can any password ever be strong enough?
There's an answer - and you're not going to like it.
Back to eBay. What's shocking is what the site was not protecting. EBay's financial stuff is done via PayPal and is encrypted and thus protected. But customer names, e-mail addresses, physical addresses, phone numbers, and birthdays - not! How could this be?
"I wish it were amazing," says Eric McCloy, deputy CIO at Arcadia University, "that large corporations don't protect data well." Why is he not surprised? "Because hacking techniques have progressed exponentially, while companies have been slow to recognize it."
Tom Kellermann is chief security officer for Trend Micro, a cybersecurity firm in Irving, Texas. "I don't want to take anything away from the good work of places like eBay," he says, "but any site that handles the personal information of hundreds of millions of people has to be working harder to protect that information."
We're at a turning, tipping, or flopping point in the history of e-commerce and e-piracy. Many, many of the 40 percent of the human race who are online have long since embraced e-commerce. It's quick, easy, gets delivered to your door, cool. It's cheaper than brick-and-mortar stores for businesses, too.
"So you'd think big sites would be investing more in security," says Kellermann. Granting that a security firm executive would say that, you also have to grant that, no matter what you do, the pirates will always be sailing ahead of the good guys. "For $1,000 or so," Kellermann says, "you or I can lease software that can defeat the protection systems used by most major websites." Now.
Clearly, the big guys' standard protection systems are not good enough. Behind the times, even. What happens if consumers cease to trust? Will they go elsewhere? Or will industry get better at this?
EBay tried to give advice about a "good, secure password." You know, "a combination of at least 6 to 8 letters, numbers, and special characters." But the witty blogger Troy Hunter submitted a monster - ,83eQYr$m76H>ojqj [Em - to eBay's evaluating tool and got . . . "medium."
Sincere advice followed about other measures. "Do not use single words that can be found in the dictionary," such as kangaroo. And "Do not use your name, your spouse's name, your pet's name, birthday, favorite food, or any personal information that others can easily guess." Good advice . . . since 1994.
So is "Create a different password for each of your online accounts." Problem: Almost no one, no one, will ever do this. As McCloy points out, "People are satisfied with a single layer of protection. A lot of people will use their single password on every website they're on." He recommends a password manager, software "that you access with a single password, and generates different passwords for each of the sites you use."
Besides, as Kellermann points out, "passwords are not enough. There are too many ways to crack them or steal them. In Eastern Europe every day, there are black-market auctions of thousands of passwords and e-mail addresses." Even the strongest password is but a momentary stay. (McCloy quotes Randall Munroe's fabulous site xkcd: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.")
Will companies invest in better security? Or will e-consumers just have to strap on bandolier after bandolier of self-protection? Questions to ask - about 10 years ago.