About your password sir

Much of what we do online is taken for granted these days. Many institutions are placing us under pressure to handle more and more transactions online, many if not most of them that require us to do something, need a password. Many of them are also linked to financial information held on your behalf, such as credit or debit card details.

Ooops, we have been hacked

So what happens when you get an email like the one I received below. With great irony, I got a version of this email at 4am in the morning just prior to catching a plane to Italy for a long weekend. Timing is everything!

Adobe password compromised message

I work with many charities across the UK building websites for them. Inevitably during the conversations I learn that key passwords are extremely simple to crack, or worse still they use the same password everywhere. The message above does not potentially affect one account, it affects all accounts where that password may have been used across the internet.

Phishing

The message from Adobe (who also have my credit card details!) says that someone  somewhere “may have” my Adobe ID and a password. Saying “may have” is interesting because they may not have, or on the other hand if Adobe does not actually know for certain, then they may have a lot of other things as well; email address, postal address, credit card details etc.

Of course an email address and a password is all you need to get into some sites. If I used the same password everywhere, I would need to spend hours on the internet changing my passwords on all of the other accounts I may have. Remember this occurred at a time when I was about to leave the country. If you are like me, you may struggle to remember all of the places you have left your password and email address. So that could be a problem.

Some tips

  • Don’t use the same password everywhere
  • Use upper and lower case letters, numbers and symbols when creating a password
  • Make it at least 8 preferably 12 characters long, or longer
  • Record where you have used the password

My head is full I cannot remember everything!

Use different passwords for accounts associated with financial or sensitive information, particularly where your credit/ debit card details are held.

Store them in a (strong) password protected file such as MS Word, or Excel, better still use a password safe in your mobile device. I use one on my iPhone called Firebox. It will self destruct the password library if more than three attempts are made at trying to access the encrypted data. Of course I have a backup of my iPhone just in case. There are lots of examples of these apps for Windows, Android and Apple hand held devices.

Building a password

Use fragments of known information, such as part of a postal code, substitute symbols or numbers for letters, break words into syllables and alternate with upper and lower case and add numbers in. The more cryptic the password is the better it is, particularly if it bears no relationship to the rules of spelling for example.  Most attempts at cracking passwords use the sledgehammer approach by guessing the sequence. This can generally be detected. The longer the password sequence is the harder it will be to guess it, and the longer it will take.

There are numerous studies which have found that people, particularly those that are relatively new to computers, use simple passwords. Like;  qwerty, zxcvb (inline sequences on your keyboard), password, PASSWORD, 111, 123. These are often guessed by hackers, there is a well known set of the most common passwords that people use, which hackers will also try to use.

A very simple example of how to build a more complex password for Prestwood is to start with the word Prestwood.  It could be written pRE$Tw00d. Now rather than limiting myself to 26 upper case characters and 26 lower case characters I have also used numbers and symbols. I can still read the word, and I can still remember it. I could improve it further with part of a postal code as well to make it stronger.

Password Strength

I am not sure that there is any definitive algorithm that defines password strength other than how many combinations there are for any sequence of character types.  Just looking at a 3 character password to demonstrate this:

  • If you were to use just numbers there are 1000 combinations.
  • If you were to use just upper case letters there are 17,576
  • If you were to use upper and lower case letters there are 140,608
  • If you were to use upper, lower case letters and numbers there are 238,328
  • If you were to use upper, lower case letters, numbers and symbols there are 614,125

(source: elpassword)

So do take care with all of those passwords, and if you are only using one password for everything, maybe now is a good time to change that. You would not use the same key for your car, shed, garage and front and back door would you?  Equally you would not want to pick up a message like the one I had prior to travelling and then spending the first two days on holiday changing all of your passwords everywhere.

– Mark

 

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

FacebooktwitterFacebooktwitter

One thought on “About your password sir”

  1. A very helpful reminder, thank you Mark. One way to generate a seemingly random sequence of letters is to use the initial letters of a memorable phrase or sentence; the characters can then be interspersed with a memorable telephone number to lengthen the password; the finishing touch can be the imaginative use of symbols in place of some characters, as you have suggested.

Leave a Reply to Henry Cancel reply

Your email address will not be published. Required fields are marked *