123456. Iloveyou. Password.
These are examples of most commonly used bad passwords. Of course no one loves passwords as evidenced by how often we choose bad ones, but we rely on them every day to access and protect personal information and systems.
And every day it gets easier for those passwords to be leaked, stolen or cracked.
"In the past year, Dropbox, LinkedIn and Zappos have reported security breaches and leaked passwords. At Duke, we get phishing emails all the time. And the average password can be cracked in minutes," said Richard Biever, the university’s chief information security officer.
Still, there are some strategies for managing passwords without using post-it notes. At a recent "Learn IT @ Lunch" session sponsored by the Office of Information Technology, Biever offered the following tips from Duke's Information Security Office:
Use multiple strong passwords
It used to be a strong password was eight characters and a mix of uppercase lowercase, numbers and symbols. Today a strong password has at least 11 characters and one each of uppercase, lowercase, number and symbol.
And one password isn't enough. Biever, for example, uses a unique password for each of his accounts. If you don't want to manage that many, consider grouping passwords: one for financial institutions, a separate password for Duke NetID, another for casual accounts with no access to financial information.
But reusing passwords is risky, he warns: "If I use the same password on LinkedIn and other services, and LinkedIn reports a breach, now I have to worry about, 'Where else did I use that password?' and I have to go change it in all those other places as well."
Change your password regularly
At a minimum, Biever recommends once a year.
Consider using a password escrow tool
"It's hard to create and remember multiple passwords. What was the last long string of unrecognizable characters you memorized?" Biever said. "Some services provide a password generator and will store password history and sync with mobile devices."
Use multi-factor authentication when available
Some online services, including Google, Dropbox and Facebook, offer the option of multi-factor authentication, which requires that a user provide more than one form of verification to prove their identity.
Duke is piloting multi-factor authentication with a group of IT staff for single-sign-on access. "Our intent is to offer it as an option to the Duke community for accessing online resources," Biever said.
Set a strong passcode on your mobile device
Create a four-digit code for smartphones, and set the device to remote wipe after 10 incorrect log-in attempts.
"Smartphone muggings are more common than ever, but a code and remote wipe puts a big speed bump in terms of what a thief can do if they get your phone," Biever said.
Security experts acknowledge that password technology provides inadequate protection, but it's the best system available now, Biever said. "At some point your password will be stolen," he said. "These strategies will just help to lessen the impact."