The strange thing about writing a password blog is that most of the topic is the same as what I wrote about 20 years ago, so the challenge is not writing about passwords, but making the subject of passwords interesting to read. The difference is that during these 20 years, the use of computing technology has increased significantly, and a new generation of people need to know more about how to take their safety and security more seriously. So, it is OK for me to repeat myself on this.
I didn’t think I would write another blog about passwords, but I was recently in a queue for a local cash machine when a teenager in front of me told her friend, ‘Mine is just 1234, so I can easily remember it’. A few laughs followed. I thought it was a joke initially until I saw her type ‘1234’. Even though I was standing 2 meters away, it was impossible not to see and hear what happened.
If the wrong person was in the queue, they could have inflicted serious harm to acquire the bank card. It also reminded me about how often people use Chip and PIN in an unguarded way and how often it is easy to see PINs just by being in the queue. Simple advice here is to frequently change your PIN and be more careful when using your PIN to make a purchase or withdraw cash from an ATM. Simple advice for banks could be to prevent commonly used and easy to guess PINs from being used.
Using weak passwords introduces lots of risks, and with the continually growing use of social media and personal information available online, the ability to guess weak passwords is more effortless. A dictionary attack on a system can take time. If your Facebook page shows that you are a Star Wars fan, they could start with Jedi1 or Jedi1!, or 1000s of variations on this theme, which would be more efficient than a brute force attack with an entire dictionary. Same applies to any information available in the public domain. It gets worse with security questions because if answered truthfully, you are providing immutable facts for security purposes. Your place of birth is unlikely to change, for example, and it is available on a large number of Facebook profiles.
Passwords need to be extremely difficult to guess, and unrelated to anything about you that anyone else would know or be able to find out using a search engine. There are no set rules for how this should be, and there are probably as many options as are there are security consultants. A mixture of upper case, lower case, numbers and symbols is an excellent place to start, and with a password of 8 characters or more. I am being intentionally vague here and not recommending a specific approach. As soon as it becomes an approach, refinement of hacking tools quickly follows, so you should think about how you will make strong passwords and take responsibility for your safety and security.
Someone a long time ago thought it was a good idea to replace some letters with numbers such as replacing ‘I’ with ‘1’, ‘A’ with ‘@’ and ‘E’ with ‘3’. It quickly became popular, but in practice, it means a small change to password-cracking software. If someone is known to be a Star Wars fan, then ‘J3d1Kn1gh+’ could be used along with variations of any other word using the same convention. Even a dictionary word brute-force attack can use these variations. Consequently, replacing letters with numbers has been insecure for a long time. To recap, decide how complicated and obscure your passwords will be.
Avoid using the same password for multiple purposes. Large, established systems, with an extremely security-conscious ethic, could have implemented their system security model in a way that not even the company’s staff can find out customer passwords. The extent that organisations will go to is relative to the value of what they are trying to protect, so other systems will still have their passwords stored in plain text and sent out by email in plain text as password reminders.
In recent years, more and more websites require registration before allowing purchases, and far fewer sites allow one-off purchases. Consequently, people need to have far more user accounts now than they did a few years ago. Using the same password for high-security and low-security systems allows hackers to compromise high-security systems with far less effort. Also, websites can sell cheap widgets, for the primary purpose of harvesting email addresses, passwords and other personal information to compromise higher security systems such as Bank Accounts, Social Media accounts and Email Accounts. Access to a primary email account makes it easier to compromise other sites and services.
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.