The years change, but the stories remain the same. Passwords are a crappy defense and most of us use poor ones in exchange for ease of use.
Some LinkedIn users had their passwords stolen. Phishing attacks ensued to prey on LinkedIn users. Now eHarmony has had issues. Passwords are regularly swiped from Web mail accounts.
The problem: Passwords may be the most imperfect security measure around. Most users don't want to sacrifice usability for a good password.
Sure, there are encryption techniques, two-factor authentication and other enhanced security measures. The reality is that most of us stick with a password we may or may not remember.
LinkedIn stated the obvious on a blog about its password issues:
Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred. You can stay informed of our progress by following us on Twitter @LinkedIn and @LinkedInNews.
While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites. Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy.
LinkedIn sounds like it has a handle on the issue. What LinkedIn can't control is whether a user goes from a password like "password" to something like "123456."
The password basics are well known:
- Make your passwords eight or more characters;
- Vary punctuation, symbols, letters and numbers;
- Change passwords every three months;
- Use different passwords for accounts.
That advice is obvious. But following those security practices also ensure that you won't remember your passwords.
In other words, passwords are imperfect. Users are even more imperfect. But we're stuck with them because no other security measure has gained critical mass on the consumer front.