A foolproof technique to secure your computer, e-mail, and bank account.
It’s tempting to blame the victim. In May, a twentysomething Frenchhacker broke into several Twitter employees’ e-mail accounts and stolea trove of meeting notes, strategy documents, and other confidentialscribbles. The hacker eventually gave the stash to TechCrunch, which has since published notes from meetings in which Twitter execs discussed their very lofty goals.(The company wants to be the first Web service to reach 1 billionusers.) How’d the hacker get all this stuff? Like a lot of techstartups, Twitter runs without paper—much of the company’s discussionstake place in e-mail and over shared Google documents. All of thesecorporate secrets are kept secure with a very thin wall of protection:the employees’ passwords, which the intruder managed to guess becausesome people at Twitter used the same passwords for many differentsites. In other words, Twitter had it coming. The trouble is, so do therest of us.
[snip]
Everyone knows it’s bad to use the same password for different sites.People do it anyway because remembering different passwords isannoying. Remembering different difficult passwords is even moreannoying. Eric Thompson, the founder of AccessData,a technology forensics company that makes password-guessing software,says that most passwords follow a pattern. First, people choose areadable word as a base for the password—not necessarily something in Webster’sbut something that is pronounceable in English. Then, when pressed toadd a numeral or symbol to make the password more secure, most peopleadd a 1 or ! to the end of that word. Thompson’s software, which uses a”brute force” technique that tries thousands of passwords until itguesses yours correctly, can easily suss out such common passwords.When it incorporates your computer’s Web history in its algorithm—allyour ramblings on Twitter, Facebook, and elsewhere—Thompson’s softwarecan come up with a list of passwords that is highly likely to includeyours. (He doesn’t use it for nefarious ends; AccessData usuallyguesses passwords under the direction of a court order, for militarypurposes, or when companies get locked out of their ownsystems—”systems administrator gets hit by a bus on the way to work,”Thompson says by way of example.)