Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the "strong" password. It's the compromise that growing web companies came up with to keep people signing up and entrusting data to their sites. It's the Band-Aid that's now being washed away in a river of blood. Every security framework needs to make two major trade-offs to function in the real world.
The first is convenience: The most secure system isn't any good if it's a total pain to access. Requiring you to remember a character hexadecimal password might keep your data safe, but you're no more likely to get into your account than anyone else. Better security is easy if you're willing to greatly inconvenience users, but that's not a workable compromise. The following is from a January live chat between Apple online support and a hacker posing as Brian—a real Apple customer.
The hacker's goal: resetting the password and taking over the account.
Hacker: I think that is "Kevin" or "Austin" or "Max. Apple: None of those answers are correct. Do you think you may have entered last names with the answer? Hacker: I might have, but I don't think so. I've provided the last 4, is that not enough? Hacker: Can you check again? I'm looking at my Visa here, the last 4 is " Apple: Yes, I have checked again. Did you try to reset online and choose email authentication? Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.
Hacker: Here, I'm back. I think the answer might be Chris? He's a good friend. Hacker: I'm just gonna list off some friends that might be haha. Hacker: "Google" "Gmail" "Apple" I think. I'm a programmer at Google. Apple: OK, "Apple" is correct. Can I have an alternate email address for you? The second trade-off is privacy. If the whole system is designed to keep data secret, users will hardly stand for a security regime that shreds their privacy in the process.
Imagine a miracle safe for your bedroom: It doesn't need a key or a password. Not exactly ideal. Without privacy, we could have perfect security, but no one would accept a system like that. For decades now, web companies have been terrified by both trade-offs. They have wanted the act of signing up and using their service to seem both totally private and perfectly simple—the very state of affairs that makes adequate security impossible. So they've settled on the strong password as the cure. Make it long enough, throw in some caps and numbers, tack on an exclamation point, and everything will be fine.
But for years it hasn't been fine. In the age of the algorithm, when our laptops pack more processing power than a high-end workstation did a decade ago, cracking a long password with brute force computation takes just a few million extra cycles. That's not even counting the new hacking techniques that simply steal our passwords or bypass them entirely—techniques that no password length or complexity can ever prevent. Add up the total cost, including lost business, and a single hack can become a billion-dollar catastrophe.
How do our online passwords fall? In every imaginable way: They're guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company's customer support department. Let's start with the simplest hack: guessing. Carelessness, it turns out, is the biggest security risk of all. Despite years of being told not to, people still use lousy, predictable passwords.
- How to Change A Password in Yahoo! Mail - wikiHow?
- connecting htc one m8 to mac.
- Free Tools Boost 2020 Election Security, But Not Enough!
- mac vorschau pdf einzelne seite speichern?
When security consultant Mark Burnett compiled a list of the 10, most common passwords based on easily available sources like passwords dumped online by hackers and simple Google searches , he found the number one password people used was, yes, "password. The number If you use a dumb password like that, getting into your account is trivial. Free software tools with names like Cain and Abel or John the Ripper automate password-cracking to such an extent that, very literally, any idiot can do it.
All you need is an Internet connection and a list of common passwords—which, not coincidentally, are readily available online, often in database-friendly formats. What's shocking isn't that people still use such terrible passwords.
It's that some companies continue to allow it. The same lists that can be used to crack passwords can also be used to make sure no one is able to choose those passwords in the first place. But saving us from our bad habits isn't nearly enough to salvage the password as a security mechanism. Our other common mistake is password reuse.
During the past two years, more than million "hashes" i. LinkedIn, Yahoo, Gawker, and eHarmony all had security breaches in which the usernames and passwords of millions of people were stolen and then dropped on the open web. A comparison of two dumps found that 49 percent of people had reused usernames and passwords between the hacked sites. The bad guys are stealing the passwords and selling them quietly on the black market.
Your login may have already been compromised, and you might not know it—until that account, or another that you use the same credentials for, is destroyed. Hackers also get our passwords through trickery.
The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information. Steven Downey, CTO of Shipley Energy in Pennsylvania, described how this technique compromised the online account of one of his company's board members this past spring.
How to Hack in to Yahoo Email without Password
The executive had used a complex alphanumeric password to protect her AOL email. But you don't need to crack a password if you can persuade its owner to give it to you freely. The hacker phished his way in: He sent her an email that linked to a bogus AOL page, which asked for her password. She entered it. After that he did nothing. At first, that is. The hacker just lurked, reading all her messages and getting to know her. He learned where she banked and that she had an accountant who handled her finances. He even learned her electronic mannerisms, the phrases and salutations she used.
How to Recover Your Forgotten Yahoo! Password
An even more sinister means of stealing passwords is to use malware: hidden programs that burrow into your computer and secretly send your data to other people. According to a Verizon report, malware attacks accounted for 69 percent of data breaches in They are epidemic on Windows and, increasingly, Android. Malware works most commonly by installing a keylogger or some other form of spyware that watches what you type or see. Its targets are often large organizations, where the goal is not to steal one password or a thousand passwords but to access an entire system.
One devastating example is ZeuS, a piece of malware that first appeared in Clicking a rogue link, usually from a phishing email, installs it on your computer. Then, like a good human hacker, it sits and waits for you to log in to an online banking account somewhere. As soon as you do, ZeuS grabs your password and sends it back to a server accessible to the hacker. Targeting such companies is actually typical. Essentially, he's the guy in charge of figuring out how to get us past the current password regime.
Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make—and four moves that will make your accounts harder but not impossible to crack. If our problems with passwords ended there, we could probably save the system. We could ban dumb passwords and discourage reuse.
Kill the Password: A String of Characters Won't Protect You
We could train people to outsmart phishing attempts. Just look closely at the URL of any site that asks for a password. We could use antivirus software to root out malware. But we'd be left with the weakest link of all: human memory. Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there's a very good chance you'll forget it—especially if you follow the prevailing wisdom and don't write it down.