Get Your FREE Copy Today!

A Particle Physicist’s Guide to Smart Passwords

Jan 20, 2015 8:09:00 AM
Author: Hanson McClain

Password

How to overcome password fatigue and fight identity theft

If identity theft, the fraudulent use of a person’s private information for financial gain, hasn’t happened to you, consider yourself lucky. According to the Department of Justice, there were 16.6 million reported cases of identity theft in 2013 alone, which accounted for more than $14 billion in losses.

That’s more than all of the burglaries and car thefts from that year combined.

Still not worried? Then consider that the San Diego–based Identify Theft Resource Center has calculated that it takes six hundred hours to clean up the mess after your identity’s been stolen. That’s 15 weeks of full-time work spent trying to sort things out with customer service reps at call centers located in places such as India or the Philippines.

We defend our money and our identities with passwords that, in numerous ways, have come to dominate our lives. According to Harris Interactive, about 40 percent of Americans have memorized at least 10 passwords (half of those have memorized more than 20), while the remaining 60 percent of us use some variation of a single code. Neither approach protects you completely, nor does having to remember all those numbers help you sleep at night. In fact our unsatisfying reliance on codes for protection has introduced the phrase “password fatigue” (the feeling of being overwhelmed by keeping track of passwords) into our otherwise shrinking lexicon.

So how do you better defend yourself against identity theft when, truth be told, you’re probably already tired of the whole process?

What's a better password?

The protection of confidential information is an important part of what we do at Hanson McClain. In fact our Chief Technology Officer, Chris Jackson, is, quite literally, a particle physicist who not only leads a four-person team of IT experts here at Hanson McClain but was previously a senior engineer and staff strategist for Intel Corporation, as well as an employee at both Stanford’s Nuclear Accelerator Laboratory and Lawrence Livermore Lab.

Chris Jackson

We asked Chris what people can do to help make not only their financial lives safer, but also give them peace of mind. This is what he had to say: “Password fatigue is a common problem in today’s online world in which every bank account, Amazon account, Apple iCloud, Facebook account, newspaper site, and so forth typically requires a password to access the service. Naturally the average person is going to pick one or a few go-to passwords and reuse those on every site. The problem is we all see the stories of Bank of America and Sony and Target being hacked.

“The risk here to the average person is that once one company’s data is taken, thieves will immediately try to cross-reference the e-mail accounts with the stolen passwords and then apply the information in an attempt to access the user’s other accounts.

“Experts tell us to make our passwords more complicated. The problem is, the average user is not going to remember multiple complex passwords, full of symbols and capital letters and such, for every site. And worse, for those who do create numerous passwords, they tend to want to write them down, which is probably the number-one thing they should not do with this information.

“However, turning to cryptography theory (the art of writing or solving codes) and the entropy of information (the science of variables) can provide a better solution, even though it’s important to remember that any security system can eventually be cracked given enough time and resources.

“We’ve all read articles that encourage you to use complex symbols and capital letters and numbers all jumbled together as a password mnemonic. This is terrible! These types of passwords are actually easy for a machine to crack but hard for a human to remember— the worst of both worlds. Instead you should create passwords that are easy to remember but hard for a machine to crack.

Password Protection

“Does this sound complicated? It’s not, really, because cryptography tells us how. Here’s what you should do: Make a really, REALLY long password, but don’t let the length stress you out, because here’s where you get relief from password fatigue: Even though you want a long password, it can be incredibly simple. For example: ihaveayellowdogandliveinabrickhouse. Easy to remember but exponentially harder for a brute-force computer to crack. How much harder? A 10-character password takes a machine about 10 hours to crack by testing all possible combinations of letters and numbers and symbols. So add a single digit, and what happens? An 11-character password takes about 15 days to crack. Now add just 5 more digits, and finding the password takes two and a half million years for a computer to crack. Two and a half million years? It’s a safe assumption that most of our accounts will be closed by then.

“Now, using this cryptography framework, it’s easy to create multiple passwords across multiple sites, with each one perhaps relatable to the site itself. For example, the password for the bank that holds your mortgage can be: iboughtmybrickhousein2005. Another password I’ve used comes from the labels of the first four icons on my phone: SettingsFindFriendsPodcastsMusic—that’s a nearly unbreakable password hidden in plain sight! And when a password requires both a number and symbol, I just tend to stick a “@1” on the end for good measure.”

A few more defense tactics

t can’t be repeated enough that in the modern world, no defense is entirely impenetrable.

Our suggestions should serve as improvements over what most consumers are currently doing, but we can’t guarantee that your passwords won’t still be hacked. That said, what are some of the other ways to keep your identity—and your money—safe? Whenever you use ANY of your passwords in public, take a quick look around for “shoulder surfers.” Some thieves even use binoculars to see your codes from their cars, so it’s not being overprotective to use your hand to shield your code as you enter it.

Retirement

When it comes to using the computer, never click on links in e-mails until you have verified the source. Consider having old computers destroyed rather than giving them away (or at least have a trusted professional wipe them clean of information), and always try to use the same credit card when shopping online so that if you get dinged, the damage is minimal.

In Closing

Just to repeat, there is no such thing as a 100% secure site and there is no perfect defense against hackers.

Our suggestions should serve as improvements over the current practices of many consumers, but we can’t guarantee that they will keep your information safe. Our goal is to make it more difficult for the bad guys to hurt you, while simultaneously alleviating some of the stress caused by the aforementioned affliction known as password fatigue.