Open sesame: Don't use "password" as your password
Not long ago I was one of the 24 million customers that received an unsettling email from the online shoe retailer Zappos that began like this:
First, the bad news: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number ... and/or your cryptographically scrambled password (but not your actual password).
The email went on to say that "critical" credit card data - the full number, rather than the last four digits - had not been compromised.
Zappos said it had wiped out all old passwords, and asked its customers to create new ones. It also noted that if customers used the same password on other websites, they should change those as well.
Done, and done.
But it was just one more reminder of how vulnerable passwords can be. For an article in its January 2012 issue, Consumer Reports surveyed 1,000 people about their passwords. Twenty percent reported that they use the same password for more than five accounts. And while the strongest passwords consist of a combination of uppercase and lowercase letters, numerals and special characters, fewer than 25 percent of the survey respondents used that level of strength for their most sensitive accounts.
I, a member of the remaining 75 percent, generally choose passwords that are simple, but not too simple, most of them an amalgam of my phone numbers, street addresses, pets and family members.
But I can do better.
Paris Finley, the Gazette's IT chief, told me that a hacker armed with only a standard-issue PC and a free software cracking program can decipher passwords in almost no time at all. Here are the examples Paris gave me (with calcuation times from www.howsecureismypassword.net):
horse - words found in the dictionary can be cracked in less than .001 second
horsa - cracked in .05 seconds
horsa3 - cracked in 8 seconds
Horsa33 - cracked in 3 hours
Horsa33# - cracked in 57 days
horse9galaxy! - cracked in about 2 million years
If you want real security, Paris told me, you don't want a password; you want a passphrase, which can actually be easier to remember than a password.
Mysister'snameisAleta - cracked in 95 sextillion years.
It sounded too good to be true, and it was.
Bowling alley owners want to groom the next generation of fans, and that's good news for anyone looking for summer activities for their kids.
We've heard from a couple of readers who have found fraudulent charges on their credit card bills: payments to the credit reporting agency Experian.
We're sure you'll remember, but just in case: This Sunday is Mother's Day.
The small voice on the phone message was urgent: "Grandma, can you call the Easter Bunny, because he forgot some pieces to Ella's Play-Doh set, OK?"
This Saturday, May 5, is your chance to see what's new since the days when Superman, Dennis the Menace, and Archie and Jughead were headliners.
Comments
Other sites
How did you change your password on all the other websites? I'm registered at about 50 million places. I have no idea all the places that have my usual password. (They're all non-financial, as I don't do financial stuff on the web.)