Ubiquitous passwords online cause myriad challenges

A popular online joke shows a frustrated computer user in front of a screen that reads: “I’m sorry, your password must contain a capital letter, two numbers, a symbol, a spell, a gang sign, a hieroglyph and the blood of a virgin.”

The rise of “password” jokes puts a funny spin on a very real phenomenon: much of our personal information is available online, protected only by a string of alphanumeric characters that we must generate, and, even worse, remember.

This week, it was revealed that the so-called Heartbleed bug, a flaw in the encryption software used by two-thirds of secure websites, may be putting a great deal of personal information at risk.

The advice being given to ordinary consumers is: change your passwords. All of them. But for people with dozens of different codes, that can be a daunting task.

Sitting at a Montreal-area coffee shop, students Lucie Goyette, 24, and Catherine Bergeron, 22, made a quick tally. Between phone codes, PINs, student numbers and countless social media accounts, they figured they each have about a dozen passwords.

Goyette said hers are pretty easy to remember. “They’re all a variation of the same base word,” she said. “I guess I’d be pretty easy to hack.”

Cybersecurity expert Terry Cutler said the number of passwords to remember is much higher than most people think. Counting everything from alarm security codes to car door keypads, he estimates that most people have between 20 and 50 passwords to remember.

“The challenge that I’m seeing is that people, especially those who are not from the Internet generation, are using passwords like their birthdays, their mother’s maiden name, their address, or anything else that’s easy to remember,” he says.

Password management company SplashData released a list of the most popular passwords of 2013, with 123456, password, and qwerty all making the Top 5.

The problem with this kind of password, according to Cutler, is that most hackers use software that stores millions of codes in something called a dictionary file. “Those common sequences are the first thing they’ll try,” he says.

Nevertheless, that doesn’t stop many Montrealers.

Bruce Hulley, in his 80s, spent many years teaching fellow seniors basic computer and Internet skills. For many older people, the sheer number of passwords to use and remember can be a barrier to Internet use.

“We lived most of our lives with just our address, our phone number, and our social insurance number,” he said. “Now we’re confronted with dozens of passwords we promptly mess up and forget.”

He said he used to suggest easy-to-remember passwords, like a first name, to his students. Although it’s not the most secure, “it’s better than them not using the Internet at all.”

But forgetting passwords is not limited to seniors. Goyette said she has forgotten and reset many of her passwords numerous times. Even the backup verification questions aren’t always a help.

“On one account, I’d put the name of my boyfriend as the security question,” she said. “Years later, I had no idea how I’d spelled his name.”

Cutler said everyone can develop a password that is secure: at least 16 characters long, containing a mix of numbers, upper and lowercase letters, and symbols.

“The best way is to take a favourite phrase or song lyric, and replace a couple of the letters with symbols, like putting an ‘@’ symbol in place of an ‘a,’ ” he says.

Even though it won’t help with system failures like Heartbleed, it’s better than nothing.

“A good password can take years to break,” he said.

Just don’t use letmein.