Click here to preview the new Fast Company

Want to try out the new

If you’d like to return to the previous design, click the yellow button on the lower left corner.

Feeling Insecure? Because Your Passwords Are

If your password is weak and your password hint is lazy, you're more likely to get your identity stolen. So let's learn to write better passwords.

Last month Adobe announced hackers had nabbed the account information of 2.9 million users—customer IDs, encrypted passwords, and other data. Then, a few weeks later, they jumped that estimate up to 38 million people. To top it off, 10 gigabytes of said data has been making its away around public forums, as Al Jazeera reports.

The software giant's response?

"Our investigation is ongoing," says Adobe spokesperson Heather Edell.

What's being invesitagated is heady stuff for anyone who spends their days wading through logins: turns out that people are often loonily lackadaisical with their passwords.

Lazy hints, easy hacks

Al Jazeera America obtained a copy of that aforementioned data set. According to reporter Joanna S. Kao, the data set has 130 million encrypted passwords and more than 43 million password hints.
While decrypting passwords is hard for hackers, you make it easier on them if you're lazy with your password hints—which could lead to your data getting taking advantage of. For instance, users in the Adobe data set sometimes had their password hint the same as the password itself—which is ridiculous. Additionally, you shouldn't have a hint that's anything a potential identity thief could easily search for. Unfortunately, the data set that Al Jazeera found had hints like these:

  • "high school"
  • "mom"
  • "kids birthplace"
  • "namecomapny"
  • "1st dog"

Which are all pretty easy to ferret out with some deep Googling and a Facebook or LinkedIn search or two.

Additionally, some Adobe users had the gumption to use sensitive information as their password or hint. This is terrifying because if you use your social security number in your password, should you get hacked, you'll not only be jeopardizing your interactions with Adobe, but across platforms. If you use the same password for your bank account, you can get nabbed there. And if you use your social security number—as those users above did—you enable the hacker in question to apply for credit cards or loans on your not-behalf.

So please don't use the sorts of hints that these Adobe users had:

  • "social security number"
  • "what is my social security number"
  • "social security plus two"

How to get our passwords to actually offer some protection

Al Jazeera talked to private investigator Jimmie Mesis, who said that using something like your favorite food as your password, since that's harder to guess than your parent's names (unless you're an Instagram junkie). As well, don't use the same password for all your logins—that could create a cascade of insecurity.

Finally, we ought not to be so predictable: security researcher Markus Jakobsson
has found that people fall into readily hackable patterns. As he writes at PCWorld:

If we demand upper case characters in passwords, almost everybody will capitalize the first letter. If we demand a numeral, the number "1" is almost three times more likely than the number "9", and "3456" is more than ten times as common as "4321". Similarly, the "special" characters people use are far from special when you look at which ones are used and where they are placed in the password.

So in passwords, as in creativity, we can get a lot of value by breaking out of our habits.

[Image: Flickr user Alpha]

Add New Comment


  • dbrem

    All the password weaknesses identified are valid, but what the article fails to realize or comment on is that the "password system" is broken. The reason people use such poor passwords and password hints is because it is too difficult to remember better passwords when you have dozens of passwords to remember, and which password is for which access, and what password rules are required for which access.

    In concept, the "password tricks" promoted make a lot of sense. Until you have 28 complex passwords to remember. And that doesn't even account for a "best practice" of changing passwords regularly. And it's even worse when trying to remember passwords for infrequently used applications.

    I wish I had a better alternative, but for now we're stuck with a broken "solution".

    Case in point - it took me 4 tries to login to Discqus just to post this comment

  • jeff

    1password is a pretty awesome solution. you just remember 1 secure password and it stores everything else--not even on their servers or a faulty "cloud," so everything is actually safe and encrypted. meaning if 1password got hacked, there would be nothing for hackers to glean. my passwords are regularly 20+ characters long with crazy combos of numbers and symbols, and i save hints/answers to "security questions" the same way.