This article was published on May 30, 2016

Why relying on your memory could compromise your security


Why relying on your memory could compromise your security

Can you rely on your memory to store all of your passwords?

The theory goes – if you want to be truly certain that your passwords are not lost or stolen, make sure they are only stored in your head.

From your personal email accounts to the computer system in your car, hackers can disrupt your life and steal valuable information from almost any device with an internet connection. With more devices connected to the internet than ever before, the only logical place to keep your passwords and information safe is in the your brain, right?

So can you rely on your memory to store all of your passwords?

Your passwords depend on your fallible human memory, and with the increasing complexity and quantity of passwords, it’s almost impossible for us to remember all of your passwords.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

You have way more passwords than you think

Think about how many websites you log into everyday: Facebook, Twitter, Gmail, Netflix, probably an online banking site. Then there are websites you sign into a few times a week.

And don’t forget – which you already probably have – about all of those websites or apps that you’ve only ever log into once and the number of accounts you have really start adding up!

Last year, Dashlane conducted a study about password overload with anonymous data from more than 20,000 users of its email-auditing tool, Dashlane Inbox Scan, and learned that the average number of accounts registered to one email address is 130 in the United States, 118 in the United Kingdom, 95 in France, and 92 for the rest of the world.

If this trend continues, we’ll have an average of 207 accounts per internet user by the year 2020.

You (and passwords) are easily predictable

We’ve all forgotten a password before. In fact, the average number of passwords forgotten last year was 11.

But why?

You most likely didn’t forget a password because it was too long, but because it was too complex.

According to annual list of the most popular stolen passwords for 2015, ‘123456’ takes the top spot, followed by ‘password’, and ‘12345678’.

image02

It goes without saying that using ‘123456’ as your password is a terrible idea, but the reason it’s still popular is because it’s simple and memorable.

One consumer password study found that 60 percent of people are guilty of creating a password from a small set of alphanumeric characters, and about 30 percent select passwords that are equal or shorter than six characters.

You may want to think twice before selecting an easy password. Using one of the top 10 overused passwords, a hacker would be able to access 1000 accounts in about 17 minutes.

There’s also a scientific reason as to why you are more inclined to choose a weak password.

Researchers at Harvard and MIT published a study on visual memory capacity, arguing that it is easier to remember images and information that we are already familiar with and have some meaning to us.

This is one reason why you often create easy-to-remember, yet predictable passwords based on your birthday, the name of a close family member, a street address, etc.

You’ll recognize a password better than recalling a password

Besides the fact that weak passwords are predictable and easy to remember, we also choose weak passwords because they’re easier to recall.

If someone asked you, “Is President Barack Obama the 44th President of the United States?”, you’d answer simply by recognizing if the information provided is true or false.

In contrast, if someone asked, “Who’s the 44th President of the United States?”, you’d need to recall the correct answer of the question. Therefore, it’s easier to recognize something than recall it, simply because it involves more clues that can help you remember.

Also, be on the lookout for websites with weak password security policies. These include sites that still accept the most commonly used passwords online, sites that will still allow you to access your account after 10 failed login attempts, that don’t require case-sensitive or alphanumeric passwords, etc.

If a site’s password policies are inadequate, it’s a big red flag that could indicate a major built-in security flaw.

Sometimes it’s not your memory’s fault

image01

A recent Wired article suggested that policies requiring employees to change passwords frequently is actually making your system less secure.

According to a 2010 University of North Carolina at Chapel Hill study, people:

Tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).

This supports the Federal Trade Commission’s Chief Technologist Lorrie Cranor’s argument that requiring frequent password changes actually encourages you to create weaker ones or cause you to reuse passwords with tiny changes.

Similarly, Microsoft researcher Cormac Herley published a study on why internet users often reject security advice that casts doubts over the benefits of certain password rules.

He essentially argues that users ignore security advice, like changing your passwords at specified intervals, not because we’re lazy, but because password security advice is becoming more complex, the benefits are “largely speculative or moot,” and password policies can “shield [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.”

Now you know why memorizing a strong, unique password feels more like is a big hassle than a benefit, but that doesn’t mean you shouldn’t take the time to improve the strength your passwords.

What’s the worst that could happen if I forget or reuse a password?

In the last few years, LinkedIn, Twitter, Yahoo, Gmail, AOL, Gawker and RockYou users unfortunately learned about the consequences of weak passwords the hard way.

These high-profile security breaches were responsible for compromising millions of users’ passwords and the data.

A hacker with your username/email and password from a single compromised database can use that information to access other sensitive accounts, like your social media profiles, your online shopping accounts, or even your online banking account.

But don’t fear! One thing you can do to protect your passwords and data: Use a trusted, secure password manager.

Not only can they can help you to create strong, unique passwords for every website simply and safely, you can refer back to them whenever your memory (or website’s password policy) fails.

Get the TNW newsletter

Get the most important tech news in your inbox each week.