By Rajat Bhargava Posted November 25, 2013
My Twitter password could be guessed by a supercomputer in a matter of minutes. It’s the same case with LinkedIn, Facebook, Gmail, and almost all of them really. Am I an idiot? Maybe – but not because of my passwords.
None of these sites will allow someone to repeatedly guess at the password. As long as my password isn’t one of the first few that someone would try, I’m fine. Even a dictionary word is likely to be sufficient in most cases* — throw in a little cruft around misspelling and character substitution and you’re safe from all except the luckiest of attackers.
So why do people worry about strong and unique passwords? It’s not to prevent access to your Twitter account. It’s because if/when Twitter is compromised, any passwords you used there are compromised as well.
Let’s say some clever and nefarious person gets into the Twitter back end. Likely one of the things they’ll do to your account (after looking at your private tweets) is to steal the stored password. If Twitter is smart, the passwords are at least hashed, and hopefully with a strong algorithm that’s difficult to reverse-engineer. But it’s always good practice to assume that a determined attacker will be able to get your password from any service that they’ve broken.
So, what’s next? They’ve already gotten into Twitter, so I assume everything I have there is compromised. But the bigger risk is that they can take my Twitter password and use it to access all my other online accounts.
And that’s the crux of the situation. Password reuse is the reason we hear all the crowing that ‘passwords are dead’. Simply put: don’t reuse your passwords. Use different passwords for every account. That way, if Twitter is hacked, you won’t have to worry about whether your Google Apps account is at risk. Store them in KeePass, OnePass, LastPass, or your personal favorite password storage program (unless it’s MS Word – I’m looking at you, Mom).
When I first started using KeePass, I’d make my passwords outrageously strong. I would use lots of characters, back ticks, tabs, spaces, etc. And why not – it’s easy! That’s until I started needing to use my passwords on different devices. I don’t want to type an unnecessarily complex string into my iPad or the AppleTV. This got me thinking about the REAL vulnerabilities around passwords, and it struck me that I was only making my own life more difficult.
Reasonable passwords are sufficient provided that Twitter is taking steps to disallow continuous guesses. And as long as you don’t use that password anywhere else, you will have much less to lose if their back end is breached. Finally, it makes your life a heck of a lot easier when you’re manually entering a sane password rather than a 50 character behemoth.
Password Protection Via JumpCloud®
If you would like to learn more about how the Directory-as-a-Service® platform from JumpCloud can help you protect your organization and users from identity theft, drop-us a note. Also, please check out JumpCloud’s password management capabilities, including password rotation, reuse, complexity, and more. Since your first 10 users are free forever, sign up to try our cloud identity management platform today.
*Avoiding the 20 most common passwords of course – don’t use password, iloveyou, logmein, etc…