Security expert Markus Jakobsson says the best password could be as simple as combining words from a story that only you know.
Security expert Markus Jakobsson says the best password could be as simple as combining words from a story that only you know. iStockphoto.com
Passwords — almost everyone's got one, or two, or 10.
But are passwords really the best way to protect your digital identity? Computer scientists have been trying to crack the code on the next generation of passwords, and one researcher says all you may need is a squirrel.
Security expert Markus Jakobsson says, just imagine that you went jogging in the forest, and you stepped on a squirrel.
That's one way to create a strong password, says Jakobsson, who created a new password system called "Fastwords."
"Think of a story," he says. "Turn it into three important words of the story."
A Bizarre Combination
And instead of punching in a random series of characters on a computer or a smartphone, users just need a three-word combination from a story they will remember.
Jakobsson says the more bizarre — jogging, forest, squirrel — the less likely a hacker will be able to get into your account. And the more likely you'll be able to remember it.
That's a good thing because technology writer Clive Thompson says our memories are lousy.
"Everyone knows that they should have a password that is harder to guess, but the truth is we humans are pretty bad at remembering characters that make for a really strong password," he says.
How bad are we at passwords?
Earlier this month, Hotmail announced new e-mail users will be banned from using passwords like "password," "123456" and "ilovecats."
Weak or even non-existent passwords were at least partly to blame for security breaches of voicemail accounts in the recent U.K. phone hacking scandal.
- Don't use only letters or only numbers.
- Don't use names of spouses, children, girlfriends/boyfriends or pets.
- Don't use phone numbers, Social Security numbers or birth dates.
- Don't use the same word as your log-in or any variation of it.
- Don't use any word that can be found in the dictionary — even foreign words.
- Don't use passwords with double letters or numbers.
— Microsoft Small Business Center
There are other options for authentication. Ed Felten, chief technologist for the Federal Trade Commission, says security researchers group all the different ways a user can prove his or her identity into three categories.
"Something you know, like a password; something that you have, like some kind of an object or a physical key, like we unlock our doors with; or something that you are, that is, some aspect of your body or your physical person," he says.
Our memories are bad with passwords, and we can easily lose a key, so some researchers have turned their focus to biometrics — that is, using parts of your body as an ID.
Engineering psychologist Kelly Caine says there's a reason we haven't seen a wide use of biometrics instead of passwords.
"Your credentials, so your face, your iris, or your fingerprint, can't be re-issued if they get compromised," she says.
So Felten says the best way to protect your digital identity is using multiple layers of security with passwords.
"The familiar passwords are ... not perfect. They're far from perfect. But they are the easiest alternative for now," he says
And that means for the time being, passwords are here to stay.
Web companies and the Commerce Department are trying to develop ways for users to log in online with just a single password that would open all their accounts.
Remembering just one password would certainly be easier, but Felton says it could also be dangerous.
"All your eggs are in one basket," he says. "You better protect that basket really well.
Of course, you could always come up with a good story. Just make sure it doesn't involve jogging, forests or squirrels.