WE'VE SEEN A FLURRY of change your password announcements this week, and firms that have admitted to having their password security breached have tumbled like dominos.
It started big with the news that 6.5 million passwords had found their way out of Linkedin, and then spread to other web sites like dating place Eharmony and music service Last.fm.
This might be just the tip of the iceberg, too. There are rumours in the wild about other web sites that might also be affected, meaning that other users could also be at risk. Over the course of this past week online passwords, the way they are stored and the way they are protected, have been proven to be something of a joke.
Linkedin was found to be using encrypted but unsalted passwords, something that earned it tut-tuts and guffaws from all sides in the security community. "It is not enough," they cried, "You goofed."
The passwords, even though they are protected in some way, are being cracked right now, and the unsalted bag of 6.5 million login credentials is falling day by day.
The message from the victim firms is that they do treat security seriously. For example, they won't be emailing any links to password changing web pages, in order to thwart phishers. But do they really have good security? And isn't it too late anyway?
They've chosen to spin out the same old messages about how important the users' choice of a password is. It should be long, complicated, changed regurlarly, uncrackable, and memorable.
It's the last part that is a problem. If you can remember a password then someone can probably guess it. Most people can't remember their own mobile phone numbers these days, nevermind a complex string of capital and lower-case letters, punctation marks and numbers.
One solution to this, and one that I am considering trying, is to write a password on a rock and throw it into the sea. That way no one will stumble upon it, and you will know where it is when you need it.
This method would have worked for me on Linkedin as I don't think I have been back there since the day I reluctantly joined. However, it might not suit web sites like Facebook where users are more likely to be in than they are out, on a regular basis.
Another staggeringly complex solution would be to give your password to a friend, but not tell them what it was for. Under this system a friend, we'll call him John, would have your login to Twitter for example, but not know what it was for.
You would have to assume that he would not be curious enough to try it on any of the big web sites, and rely on him to tell you what it is every and any time that you need it.
This would work like the automated password request option you find on most web sites, but would not require you to rely on a third party provider that has better things to do with your data, like sell it for example.
The "John System" as I am temporarily calling it, relies on you staying friends with your friends, and them not turning out to be bastards. I am trying to figure out a way to mitigate these factors, but so far have failed in my experiments.
In the meantime, the more random a password you use the better. If we can't rely on companies to encrypt them properly then it is up to us to do as much as we can to make them into the sort of cryptic puzzles that keep mathematicians drinking coffee.
Random password generators are good for this, because they remove any trace of personality from your choice of password, making it harder for people to guess them using social engineering.
Or you could chose to only join those web sites that you think you can trust. This might only be a small list, but hey, that's the nature of the internet. You can moan all you want about what happens to your data after a security breach, but if you've chosen to use a weak password on a crappy web site then you are doomed from the start.
The internet isn't a theme park, it's the Wild West. µ