The strange thing about writing a password blog, is that most of it is the same as what was being discussed 20 years ago, so the challenge is not writing about passwords, but in fact making the subject of passwords interesting to read. The key difference is that during these 20 years the use of computing technology has increased significantly, and a new generation of people need to know more about how to take their own personal safety and security more seriously. So, it is OK for me to repeat myself on this.
I didn’t think I would write another blog about passwords, but I was recently in a queue for a local cash machine when a teenager in front of me told her friend, ‘Mine is just 1234 so I can easily remember it’. A few laughs followed. I thought it was a joke initially, until I saw ‘1234’ being typed. Even though I was standing 2 meters away, it was impossible not to see and hear what happened.
Clearly if the wrong person was in the queue, serious harm could have been inflicted to acquire the bank card. It also reminded me about how often people use Chip and PIN in an unguarded way and how often it is easy to see PINs just by being in the queue. Simple advice here is to frequently change your PIN and be more careful when using your PIN to make a purchase or withdraw cash from an ATM. Simple advice for banks could be to prevent commonly used and easy to guess PINs from being used.
Using weak passwords introduces lots of risks, and with the continually growing use of social media and personal information available online, the ability to guess weak passwords is far easier. A dictionary attack on a system can take time if it is happening interactively, but if your Facebook page shows that you are a Star Wars fan and it is full of links to Star Wars related pages and sites across the Internet, then it is safe to assume that someone wanting to hack your accounts could start with Jedi1 or Jedi1!, or 1000s of variations on this theme, which would be more efficient then a brute force attack with an entire dictionary. Same applies to any information available in the public domain. It gets worse with security questions because if answered truthfully, you are providing immutable facts for security purposes. Your place of birth is unlikely to change for example, and it is available on a large number of Facebook profiles.
Passwords need to be strong and extremely difficult to guess, and unrelated to anything about you that anyone else would know or be able to find out using a search engine. There are no set rules for this, and there are probably as many options as there are cyber security consultants. A mixture of upper case, lower case, numbers and symbols is a good place to start, and with a password of 8 characters or more. I am being intentionally vague here and not recommending a specific approach for the simple reason that as soon as it becomes an approach, a tool can be built or modified using the approach, so it is better for you to think about how you will make strong passwords and take responsibility for your own safety and security.
Someone a long time ago thought it was a good idea to replace some letters with numbers such as replacing ‘I’ with ‘1’, ‘A’ with ‘@’ and ‘E’ with ‘3’. It quickly became popular, but in practice it means a small change to password-cracking software. If someone is known to be a Star Wars fan, then ‘J3d1Kn1gh+’ could be used along with variations of any other word using the same convention. Even a dictionary word brute-force attack can be performed using these variations. Consequently, replacing letters with numbers has been insecure for a long time. To recap, decide how your passwords will be complex and obscure enough to be secure.
Avoid using the same password for multiple purposes. Large, established systems, with an extremely security-conscious ethic, could have implemented their system security model in a way that not even the company’s staff can find out customer passwords. The extent that organisations will go to is relative to the value of what they are trying to protect so other systems will have their passwords stored in plain text and sent out by email in plain text as password reminders.
In recent years, more and more websites have been updated or built which require registration before a purchase can be made, and far fewer sites allow a one-off purchase to be made. Consequently, people need to have far more user accounts now than they did a few years ago. Using the same password for high security and low security systems introduces the risk of high security systems being compromised. Also, it is not outside the realms of possibility for a website to sell widgets at a very cheap price, for the primary purpose of harvesting email addresses, passwords and other personal information. These can be subsequently used to compromise higher security systems such as Bank Accounts, Social Media accounts and Email Accounts. Access to a primary email account makes it easy to reset other accounts or find out what accounts are available to compromise.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.