Humans are predictable also by creating passwords. The majority has between 6 and 8 characters, because that is what they advised us. 55% have lowercase and some number, according to this database of more than 500 million passwords filtered. Capital letters and special signs appear only in 0.6% of them. The most used numbers at the end of the letters are also immensely predictable. The three combinations of two most used numbers are, at least in this sample of 3 million passwords, 00, 23 and 69. Who makes the effort to add three figures, also does not try especially: 123, 000, 001, 111, 007, 666.
In the end, the familiar is imposed: close numbers, repeated, desired sex, James Bond or the devil. A trained algorithm to look for logical sequences next to the power of current machines would destroy our mediocrity to invent passwords.
The danger of bad codes is therefore increasingly greater. Although besides having bad ones, 52% of users recycle them, according to a study from the University of Virginia Tech: "Even more surprising, sensitive online services such as shopping and email websites have the most passwords repeated or modified ", say the authors.A modified password is one that has one of two characters changed so as not to repeat.
At the moment, incomprehensibly, there have been no widespread catastrophes in cybersecurity for ordinary users.
The dates of birth, for example, are passwords immensely repeated
The private email of the author of this article has been compromised five times: in the hacks from bit.ly, Dropbox, LinkedIn, Tumblr and Stratford. And he just found out: on this web you can check the affected emails in 314 hacks. Some of the most used codes are also thousands of times spread over the internet. Here You can check. The dates of birth, for example, are passwords immensely repeated. The vast majority of combinations of 6 small letters are already in the database.
The author of the 2003 council that we used passwords of at least 8 characters with letters and numbers repented a year ago. Bill Nurr, former director of the National Institute of Standards and Technology of the United States, now retired with 73 years, said in 2017 in a interview to the Wall Street Journal that he regretted his proposal: he had created an army of humans looking for simple combinations of numbers and letters. What seemed like good advice became millions of "abcd123" or "password1".
How to improve this drama
One possible improvement is to lengthen those 8 characters to 20 or more. But a single wonderful combination is not the solution either. Mark Risher, director of security at Google, has found that a perfect password does not work: it is worse to copy the same, however good, in several websites than to have simpler ones, but different ones. "Our research has proven that if someone uses the same code on many websites and one is compromised, it increases the probability of attack by a factor of 10. But if someone falls into a trap of phishing [suplantación de identidad] the probability of a successful attack is increased by 500, "explains Risher.
There is an acceptable intermediate solution as a combination: create phrases or groups of words
The ideal solution is apparently simple: a different and complex password for each web. But here comes the problem: who will remember dozens of "d $% 29fht_pp *? 2o8"? "Write it on a piece of paper or even better file it in a manager passwords"says Risher.
The great technologists have their own managers. There are also specific apps, which are not always extremely intuitive to use. There is an acceptable intermediate solution: create phrases or groups of words. Passwords of 35 characters (with some ñ, better) are more difficult to burst.
The underlying problem, however, remains the same: users do not have incentives to improve their security because they have not seen their data compromised. The increasing perfection of phishing can change this. A recent example of a credible email with phishing ([email protected]) said: "We have detected that one of your invoices has been doubly paid, the origin of the bad estimate in our automatic debit system, we have deducted from your account an amount of 765.00 EUR. case you must confirm your refund request. " And a link to put your data. The figure and the bad Spanish give clues to the fraud, but it is far more sophisticated than the eternal Nigerian prince.
This type of phishing It has degrees of perfection. At recent hack of 29 million Facebook users, the attackers took the last four figures of millions of credit cards. They do not serve to take money, but they have other uses, according to Risher: "Another thing that is very scary, some of the big hacks offer information that gives credibility, for example, the last four digits of your card, so you can write something like this: 'Jordi, we are the Banco Santander on your credit card ending in **** 3456.' That can be quite credible even if you do not know your full card number, that little they know how to make it look much more legitimate. " .
The phishing it's for everyone. Then there is the spear phishing, where someone seeks to enter specifically into your account, with a motivation that probably goes beyond money: "Data can be more important than money, our own information can be used to compromise our personal accounts, organizations or, in extreme cases, the national security of the country, "says Michael Sirivianos, professor at the Cyprus University of Technology. The spear phishing It was the origin of the hacking of the United States Democratic Party before the Trump elections. Or of the intrusion into Sony by North Korea.
Risher does not like to admit it to not give a sense of defeat, but the biggest security success of our online lives is that we have not been interesting to anyone. Because, if someone wants to, they will find a way to access your most secret information: "I hope that the impression that readers get is that not everything is hackable, there are many things that can be done that limit the opportunities for Something bad, "says Risher, but continues:" Although the percentage does not reach zero because there is this asymmetry between attacker and defender, as defenders we have to make sure that every window, every door, the chimney, the basement, everything is closed. The attacker only needs an open one to get in. That's a big advantage, but it does not mean you should leave the door unlocked. "
The end of all the 'passwords'
The future of the password is to disappear. Online security will be so important that it will depend on something physical: a key, the mobile. A team co-managed by Sirivianos has created one of these systems, ReCRED, where security depends on being able to access the mobile phone with biometric factors: fingerprint, facial recognition. "This system passes the burden of user authentication to the mobile phone we always carry," he explains, and gives a period of 5 years for its use to become widespread.
Google and other platforms already offer the double factor of authentication: if you activate it, you can only access your account on a computer if you allow it from your mobile. So if someone does not have your cell phone, they can not enter. Right now, "the pinnacle of security" offered by Google to its users is the Advanced Security System, which requires the purchase of two physical keys, limits the third-party apps that can be used within the mail and analyzes in depth the messages for avoid phishings.
Still another way to leave behind the passwords will be the analysis of the online behavior of each user: "Today we investigate continuous authentication systems, which monitor the user's actions, in case the behavior differs sufficiently than expected, an event is triggered for the system to take measures, "says Andrés Marín, a professor at the Carlos III University of Madrid.
"I hope that the impression that readers take is that not everything is hackable"
The magnitude of the business of hack it's huge. Risher does not explain if there are even governments behind some criminal efforts: "It is possible to locate where these people are, but it is not an investment because we see the same types of attacks from many different adversaries, and therefore we do not dedicate much energy to attribution". Your resources go beyond a few hackers In a basement in some distant country: "It's a profitable business, there are groups where one team investigates, another works with infrastructure (servers), others prepare messages and even a last team brings human resources and salaries. world to have different time coverage and much specialization, "explains Risher, who adds:" Unfortunately, the 20 years of history of email and spam has taught people that you can make money there and it is useful to invest. "
Something that, however, has not happened is that in Hollywood they have caught what this is about. hack: "In the movies you see a hacker elite that works for the Government, with infinite resources, but in reality those resources are used to have a room full of people pressing the "send" button until a message comes out, "says Risher.