Follow us on Instagram
Try our daily mini crossword
Play our latest news quiz
Download our new app on iOS/Android!

Who goes there?

The November 2011 issue of The Atlantic has an article by James Fallows called “Hacked!”, which describes the ordeal of Fallows’ wife after her Gmail account was compromised, causing her to lose (at least for a while) essentially all of her online life, including six years of mail, photos, and personal documents. Her correspondents were told that she had been mugged in Madrid, but the rest of the story line reminded me of an incident of my own a year ago: an urgent email from a friend, sent to a very small mailing list, asking for a short-term loan.

In both cases, someone had obtained the victim’s Gmail password, and that was enough to let the bad guys focus on very accurately targeted groups of potential victims. Phishing attacks like these are getting more sophisticated. There’s probably no one alive who hasn’t received a Nigerian scam letter, offering to split ten or twenty million dollars if the recipient will just send along some bank account information. Those are so bogus that it’s hard to imagine that anyone would bite, though apparently some still do. But an attack like the one reported by Fallows is far more plausible because it is so precisely targeted; that’s why it’s called spear phishing.


How are accounts cracked? Sometimes it’s through systematic password guessing, or asking for a password reset, which is what happened to Sarah Palin’s Yahoo account in 2008. But it seems that the most common problem is using the same password for more than one site. If you do that, your security is no better than that provided by the site with the weakest controls: even if Google does a perfect job, that won’t help you if some other site can be easily broken into. A break-in at Gawker in December 2010 stole more than a million passwords; Fallows says that this might have been the vector for the attack on his wife.

Our online lives are increasingly controlled by passwords. I tried counting mine, but gave up at a hundred. Many of these are throwaways, of course — who cares what my New York Times password is — but others matter a lot, like the one for posting student grades. That’s different from what I use in the computer science department, which in turn is different from one I use at Google, which is different from the ones for access to my credit card account, administering my computers, my Internet domains, the wireless router in my house and on and on and on. A handful of these are used every day, but most lie dormant for months or even years; there’s no hope of remembering them and I probably wouldn’t notice if someone did break in.

An extra complication is that every site, no matter how insignificant, has a different set of rules for what constitutes a valid password, a capricious combination of dos and don’ts. For instance, at the U.S. Copyright Office, where I recently registered my new book “D is for Digital,” a password must have eight characters with two letters, one number and one special character (but not an ampersand!), and no consecutive repeated characters; it must not include the user name or any part of it, or the names of a spouse, children, pets, or one’s own name, or any sports teams or players, or any part of a social security number longer than one digit or (and this is the killer) “words that can be found in any dictionary, whether English or any language.” In my case, all this fuss was for a password that I used exactly once and will likely never use again.

Passwords are out of control. They’re too numerous and too weak to be the all-purpose authentication mechanism. We need so many and the rules are so arbitrary that one is forced to write passwords down, re-use them, and probably create them with some kind of pattern anyway, all of which adds to the risk. Here’s a question that you should ask yourself: if a bad guy saw a couple of your passwords, could he guess more? Electronic break-ins at large sites are not uncommon, and passwords are one of the marketable results.

There aren’t many good alternatives on the horizon either. Perhaps biometrics like fingerprints or retinal scans will be practical some day, but for now the best we have is two-factor devices, where you have to know something (a password) but also have something (like a device that generates an additional one-time password whenever it’s needed). Some companies, including Google, offer this service, and if you have a smartphone, there’s no extra gadget to carry; it’s just another app. But if someone steals your phone, you’re back in the same pickle. Life was much easier when we didn’t have to spend so much of it trying to remember how to prove who we are.

Brian Kernighan GS ’69 is a computer science professor and a Forbes faculty adviser. He can be reached at


Most Popular