More

Gerry Smith
Gerald.Smith@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Gerry
 

Despite Risks, Internet Users Remain Lax On Password Security

Password

First Posted: 07/19/11 12:19 PM ET Updated: 09/18/11 06:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

For the past six years, Rachel Tampier has used one password to unlock her entire digital world, from checking her email to accessing her bank account.

Even after a hacker tried to break into her email account, she still did not change her password, she said.

"I have so many pins and different email addresses and usernames," said Tampier, 25, who lives in suburban Chicago. "The last thing I want is another password to remember."

That attitude is all too common, experts say, contributing to a rising number of people falling prey to hackers.

In recent years, passwords have morphed from being portals to email to being keys to the vast world of online commerce.

But most Internet users leave themselves vulnerable to hackers by making their passwords too obvious or using just a few passwords for all their online accounts, experts say.

Not creating multiple, complex passwords "is like not closing your windows before you go out," said Graham Cluley, a senior technology consultant at the cyber-security firm Sophos.

"There are really no excuses," Cluley said.

Yet Internet users still come up with a wide range of them, according to interviews. Many say creating several intricate passwords would be too difficult to remember. Some say they don't believe they will be targeted by hackers. Others say they trust corporations to keep their data safe.

"I pay all my bills online and I shop online and I've never had a problem so why worry?" Tampier said. "What do I really have to hide besides my bank account?"

Plenty, security experts say.

If hackers gain access to a user's email account, for example, they can infiltrate other accounts by resetting passwords or spy on victims by creating a feature that forwards their emails without their knowledge, Cluley said.

"Then the rest of your online identity begins to unravel," Cluley said.

To make a password easy to recall but hard to crack, Cluley recommends taking a sentence, using the first letter of each word, then replacing some letters with symbols and numbers, like "&" instead of "and" and "4" instead of "four."

After infiltrating the computer networks of several corporations, the hacker group LulzSec last month posted 62,000 user emails and passwords online, revealing how thousands of people use simple passwords like "writerlady," "baseball," "kindle" and perhaps the most obvious of them all -- "password."

The data dump likely forced those users to change their passwords, which they may have used for other accounts. About 75 percent of people use identical passwords for their social networking and email accounts, according to a study last year by the cyber-security company BitDefender.

Even the president has been guilty of using a weak password: Last year, a French computer hacker was arrested for hacking Obama's personal Twitter account by correctly guessing his password was "Bo," the name of his dog, according to the Daily Mail.

The security breakdown among corporations and consumers has led to nearly 23 million records being compromised so far this year, according to the Privacy Rights Clearinghouse.

It has reached the point where companies now help users strengthen their passwords. Last week, Microsoft announced a new feature that prevents Hotmail users from using certain obvious passwords -- such as "123456" -- to make life more difficult for hackers.

Meanwhile, password management programs such as KeePass or LastPass have hit the market, part of a cottage industry helping users with multiple passwords by storing all of them under one password-protected program. KeePass or LastPass are free, but others are not, and users must accept the inherent risk of storing all their passwords in one location.

Instead of using a password manager, David Pinero, 45, of Queens, keeps a spreadsheet that lists his passwords for about 200 online accounts, including dozens of Internet message boards.

He feels safe from hackers because his spreadsheet is protected by a "crazy password" that is not written down anywhere, he said.

But except for a few complex codes for accessing banking and other sensitive data, Pinero said many of his passwords are the same.

"To have a unique password for each of 200 accounts," he said, "would be impossible to memorize."

Once, Pinero was tricked into revealing his password after clicking on a link from what appeared to be a trusted source, he said. When he realized it wasn't, he immediately started changing all 200 passwords, which took him nearly an hour, he said.

"What I worry about is we don't know who is administering these accounts," Pinero said. "You can't really distinguish between what's an established, secure service and one run by a hacker or a startup of irresponsible people."

Lately, though, even major corporations have suffered major security breaches, and thousands of customers' passwords have been stolen through no fault of their own.

Further, companies are often reluctant to tell customers about security breaches out of fear of damaging shareholder value or losing business, experts say.

In the last year, 90 percent of businesses suffered at least one data breach, according to a study released last month by the Ponemon Institute. Yet only 40 percent of U.S. companies disclose all security breaches, while 60 percent report only major ones, according to a study released this year by the security firm McAfee.

In response, lawmakers in Washington have introduced several bills in Congress that compell companies to protect consumer data online and report when consumer data has been compromised.

In the meantime, Internet users are sometimes forced to change their passwords for their own good.

Lindsey Jensen, 21, a student at University of Virginia, said her school forces her to use letters, numbers and symbols for her password and change it every 90 days.

"In your daily life, you don't put it on the top of your priority list," Jensen said.

Justin Cappa, 21, a senior at New York University, said having multiple complex passwords for all his online accounts was "like having too many remotes."

"It gets to be too much of a hassle," he said. "I'll deal with it if someone hacks into it, but it's not really worth the trouble until then."

Even after his instant messenger account was hacked, spewing spam to friends until it was deleted, Cappa still used the compromised password for other accounts, he said.

While Cluley and other cyber-security experts have applauded Microsoft for requiring Hotmail users to have more stringent passwords, Cappa said he found such features "annoying."

"I have way too much other stuff I'm worried about," he said. "If somebody hacks my account, that's my problem. Let me make my password my dog's name. It'll make my life a little easier."

WATCH:



[NOTE: Do you use a password manager? Do you find the software effective for keeping your passwords safe? Let us know: email gerald.smith@huffingtonpost.com.]

FOLLOW HUFFPOST TECH

For the past six years, Rachel Tampier has used one password to unlock her entire digital world, from checking her email to accessing her bank account. Even after a hacker tried to break into her ...
For the past six years, Rachel Tampier has used one password to unlock her entire digital world, from checking her email to accessing her bank account. Even after a hacker tried to break into her ...
Related News On Huffington Post:
 

More in Technology...


 
 
  • Comments
  • 28
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
photo
Troy Bassham
0 Fans
12:34 PM on 07/28/2011
Why are people still doing this? It's absurd actually. With security breaches and identity theft why put yourself at risk? I use LastPass now but I'm transitioning to the MyLOK (http://mylok.ii2p.com). Better to remember 1 strong password than - dogatemyshoe.
Permalink  |
photo
HUFFPOST SUPER USER
Whistlejackett
Niki Ashton for NDP
620 Fans
 
02:38 PM on 07/20/2011
I commented on an article a few days ago about a guy from "Double Click", and he was angered about it's content. That guy hacked my computer and now controls my Twitter account and this account at HP. You would think an engineer from "Double Click" would be more mature. I sure hope HP has nothing to do with this. All my history is now erased from HP and I will start over again with the RCMP. Nice try dude, see you later.
Permalink  |
HUFFPOST SUPER USER
Travis M
Marijuana is not a drug Its a leaf -The Governator
31 Fans
04:15 PM on 07/19/2011
Top 5 commonly used passwords are;
123456
12345
123456789
Password
iloveyou

Sad isn't it..
Permalink  |
photo
Quark50
The enemy's gate is down
115 Fans
03:44 PM on 07/19/2011
My voice is my password. Verify me.
Permalink  |
photo
blyan
46 Fans
02:54 PM on 07/19/2011
For a minute, I was 100% convinced that it said Pokemon Institute and nearly spit tea all over my desk
Permalink  |
slejames
150 Fans
02:34 PM on 07/19/2011
I don't get it. I work on the internet, and between work & personal stuff I have dozens of passwords. They're all alphanumerics & I don't have any issues remembering them. If you do it right, it's no tougher than remembering your friends' phone numbers.
Permalink  |
HUFFPOST SUPER USER
Silverwolf72
Are We There Yet?
217 Fans
04:04 PM on 07/19/2011
I don't remember my moms number.
Permalink  |
slejames
150 Fans
05:07 PM on 07/19/2011
You obviously don't call your mother enough! Call your mom! ;-)
Permalink  |
photo
HUFFPOST SUPER USER
Yam716
For CurlTalk, Visit: lillian-mae
273 Fans
 
08:52 AM on 07/20/2011
IMO, technology has made it so that we don't have to remember people's numbers. I know 2 numbers by heart and that's because they've been the same for at least 10 years...for everyone else, I refer to my BB.

It's a shame tho, bc should my phone become lost, I'd have to go through some difficult channels to find the number I'd need.
Permalink  |
photo
HUFFPOST SUPER USER
atrax70
12 Fans
01:01 PM on 07/20/2011
Exactly. My iPhone died this year and well, stupid me never backed it up and I lost all my phone numbers and everything else. I looked at the #'s on my bill and I was like " who are these people? " At the end of the day I think I know 10 numbers by heart.
Permalink  |
photo
HUFFPOST SUPER USER
Comeplayinmyreality
enter at your own risk
35 Fans
12:42 PM on 07/19/2011
my work makes us change the passwords every 60 days and you cant use it for 18 months afterwards, but thats just to log into the computer, then theres the programs we use that each require a password that has to be changed either 60 or 90 days all with different rules and requirements to follow. It does get a little annoying but I figure its worth it. At home I try different things for passwords but have something similar to the guy mentioned in the article, and try to update or change things regularly. Im just waiting for everything to go biometrics.
Permalink  |
HUFFPOST SUPER USER
lhanderson86
335 Fans
12:43 PM on 07/19/2011
Oooo, biometrics. That will be a sweet day.
Permalink  |
HUFFPOST SUPER USER
lhanderson86
335 Fans
12:40 PM on 07/19/2011
some people still use "password". Sheesh.
Permalink  |
HUFFPOST SUPER USER
frant52
174 Fans
12:37 PM on 07/19/2011
Now that is a very helpful video!
Permalink  |
photo
HUFFPOST SUPER USER
pepper1311
POGS are dirt
344 Fans
12:33 PM on 07/19/2011
Buy 1Pass Word. Then have several strong pass words ready to use , change the master monthly. Hell I'm 64 and know this stuff. Yes keep everything updated.
Permalink  |
HUFFPOST SUPER USER
lhanderson86
335 Fans
12:46 PM on 07/19/2011
Can you tell me how 1Pass Word is different from RSA SecurID? I read RSA was hacked and Lockheed Martin was hacked as a result. How does 1Pass Word work?
Permalink  |
photo
HUFFPOST SUPER USER
theveggiedude
my body is a temple, not a living graveyard
254 Fans
 
02:20 PM on 07/19/2011
Nothing is wrong with RSA encryption for regular people - because we are not targets of hackers with the power of super computers at their disposal. Only large corporations are the targets and need worry about it.
Permalink  |
HUFFPOST SUPER USER
Travis M
Marijuana is not a drug Its a leaf -The Governator
31 Fans
04:11 PM on 07/19/2011
the algorithm for RSA was compromised, but only on older key fobs that were set to soon expire anyways. RSA is a good solution if you have client data that you do not want anyone to get a hold off, like Lockheed. Use this simple method..

Take a random word that means nothing to you (like chapstick for example) re-arrange the letters in the word and add some special characters chapstick would equal to something like this; 9h@1(T$c1
Permalink  |
photo
HUFFPOST SUPER USER
Zenith1959
Buying Things=Job Creator
812 Fans
12:30 PM on 07/19/2011
I simply never put any sensitive or personal info online, don't check my bank balance and so on. I suppose there is the very slim chance of my email being hacked to send illegal things, but thats about it. For passwords, I use old phone numbers from the past, and since I'm old enough to remember back when they used the first two letters of words at the start, that helps make them more complex, like SUnset7-0970.
Permalink  |
photo
Grandma Koolfinger
271 Fans
12:17 PM on 07/19/2011
The President's password was his dog's name. What's the national security advisers password?
1?
Permalink  |
HUFFPOST SUPER USER
lhanderson86
335 Fans
12:42 PM on 07/19/2011
What password? For his blackberry?
Permalink  |
This user has chosen to opt out of the Badges program
disgustedwithall
408 Fans
12:09 PM on 07/19/2011
The reality none seem to want to face is generally USA is not very smart about hi tech. Most simply push some buttons, or hit a key and something pre-programed happens. Start to discuss the more tech side of most hardware, net or applications and you get this look like "I am sorry I do not speak Greek or some such language".

This includes most of kids who are great "keyboarding" and games, but lack much real hi tech knowledge. Doubt it, ask anyone that teaches hi tech or works around it, they are often stunned at just how really dumbed down USA is becoming.

But that trend started decades back when it was some sort of odd status symbol that "I cannot understand how to program my VCR" and has simply gotten worse since then. USA is land of lots of higher tech HW/SW but really way behind world in knowing how it works.
Permalink  |
HUFFPOST SUPER USER
lhanderson86
335 Fans
12:42 PM on 07/19/2011
Keeps nerds like me in business. Everyone over 45 in my office thinks I'm a computer whiz. :)

"How do you...?"
"Allow me to temporarily look like a computer genius in your eyes!"
Permalink  |
This user has chosen to opt out of the Badges program
disgustedwithall
408 Fans
03:35 PM on 07/20/2011
I would submit that most under 45 do not really have a clue beyond "push this button and see what it does", more so for PC's. Actually a lot of folks over 45 more in depth tech skilled then younger as not that far back you actually had to know how do all those trick things and virus's, crash, config, etc. Many in IT areas for a while really are amazed at how little and weak are the IT skills-knowledge of most younger folks, even those with IT class's, cannot cut much code if any and zero understanding of HW
Permalink  |
photo
HUFFPOST SUPER USER
johnb123
All I ask..just be reasonable....do things my way
1063 Fans
12:04 PM on 07/19/2011
"Since the beginning of time the clever have preyed on the ignorant, yet ignorance still abounds. That's how clever they are."
Robert Brault
Permalink  |
photo
HUFFPOST SUPER USER
cabrobst
Return the top rate to 90%.
418 Fans
 
11:59 AM on 07/19/2011
I don't see why I need an 'account' with each and every website just to put in my 2 cents. I should think my name and email should be enough just to comment once in a while.
Permalink  |