After Daphne Strassmann’s credit card number and other personal information were stolen in the Target data breach last fall, she diligently went about changing 10 online passwords. The process involved channeling nonsense words inspired by the view from her couch: a banana, a squirrel, a picture of her nana.
But when it came time to log back onto those accounts, Strassmann couldn’t remember a single password. “I need to hire a hacker to get them back,” she said.
So in early April when the next whopper data breach hit — this time it was the Heartbleed security bug, which may have affected as much as two-thirds of the Internet — Strassmann didn’t change anything. “Enough is enough,” she said.
Around the Internet, password fatigue is setting in. And taking serious precautions, like using a multistep authentication process to log into e-mail or subscribing to a password management system that holds encrypted data, still seems unnecessary and just too much work for some users.
An April YouGov/Huffington Post survey of 1,000 adults found that just 6 percent changed all their passwords after discovery of the widespread Heartbleed security flaw, while 62 percent changed none.
“A lot of people, until they are burned, don’t really think they need to do anything about it,” said Joe Siegrist, the chief executive of
LastPass, a Virginia-based password management system that remembers users passwords for them, with fees ranging from nothing to $12 a year. “The younger generation especially seems to be flippant about it.”
This is how careless we are. For two years running, the most popular online password was the word “password,” according to SplashData, a California-based provider of password management applications. Using files containing millions of stolen passwords posted online, it compiles an annual list of the top 25 “worst passwords.”
In 2013, the password “password” was unseated from its top spot of shame by the equally lazy “123456,” according SplashData. Other passwords on the list of shame include: “qwerty,” and “iloveyou.”
And not only are our passwords weak, but users spritz passwords around the Web so casually most people don’t even remember all the accounts they’ve created.
“When I ask people they think they’ve got fewer than 10 [accounts],” said LastPass’s Siegrist. That is until he brings up a list of frequently visited sites, and people realize they probably have 40 or more.
“I ask, ‘Do you have a Facebook or Twitter account? Have you shopped at Lands’ End or J. Crew or Amazon or Best Buy? Do you use Netflix or Pandora? Have you used TurboTax, do you have magazine subscriptions, or a 401k? What about your power company or insurance provider?’ It goes on and on.”
Point made — or is it? Many consumers just want to be able to use the same password, short and easy to remember, on every site.
Who can be bothered to create a unique 12-character password with upper and lower cases, numbers, letters, and special characters?
In Sudbury, Jen Baker, a high school history teacher, says she does not have the time to try to protect herself from a threat she’s not even worried about. But after the widely publicized Heartbleed bug sent worried consumers and security specialists scrambling, the school’s technology head gave Baker a “talking to” about changing her e-mail password. Alas, the change didn’t go smoothly, and she spent a weekend locked out of online communication, a process so painful it turned her off to changing even one more password.
“I’m 32, and I’ve lived the majority of my life online,” Baker said. “It’s a reality of the modern era. I participate in e-commerce and social media and I know that privacy is thin at best. If the hackers really want to read my Gmail and see what’s happening with my daughter’s school committee, they can have at it.”
And they are. Earlier this year 18 percent of Internet users told the Pew Research Center they had had important personal data, such as Social Security numbers or credit card information, stolen as a result of their online activities, from 11 percent in 2013. And 21 percent said they have had an online account like Facebook or Gmail compromised.
E-mail access in particular is a gateway to other sites because it contains so much personal information, and hackers can exploit a that weak link to work their way into a more lucrative target, such as a bank account, said Azer Bestavros, a professor of computer science at Boston University.
“It’s called ‘social engineering,’ ” he said. “You could be part of a bigger plot. They use you as a step in a bigger scheme. This is why a person who would appear to be totally average could be useful to a hacker.”
Here is something else that can be useful to a hacker: Those pictures of tapas and craft beer you upload whenever you eat out, and the selfies from your high school reunion, and the 1980s-era snapshot of your beloved family golden retriever.
Hackers use those to crack the security questions some sites use to help you prove that you are you, said Robert Siciliano , a North Shore-based identify theft expert with McAfee, the digital security company.
“That’s how they cracked Sarah Palin’s Yahoo account [in 2008],” he said. “It’s all public information.”
In Palin’s case, the alleged hacker reportedly was able to reset the former vice presidential candidate’s password using her birthdate, zip code, and info about where she met her spouse — Wasilla High School — using Google searches.
As the Heartbleed bug shows, even the best laid passwords can be vulnerable, said Zulfikar Ramzan, the chief technology officer for Elastica , a cloud security startup in San Jose, Calif.
“With all these advancements in technology, that we still rely on passwords as the main thing that keeps us safe is quite surprising,” he said. “Passwords are primitive in many ways.”
Until the password-less future arrives, Internet users like Joe Ranft are in a bind. After Heartbleed, Ranft, a cofounder of Cinch Financial, a Boston startup, changed about three of his 100 passwords.
But he has not gotten around to changing passwords for some lesser sites, and others, like Amazon.com and iTunes, he knows better than to change. Those are accounts he shares with his wife.
“When she’s in a hurry she doesn’t have time to try and track me down,” he explained. “It would be like Target adding a password to their doors.”