Password (almost) Perfect

It’s a sad fact that many of the worlds passwords are “password”, “secret”, “123456” and in the western world, “QWERTY”.
Luckily for us, many of the most critical sites we use won’t allow simple passwords but we should not rest easy if we have not given some careful thought to the password used…

Even with mixed-case (capital and small) letters and numbers, so many people use names, or simple numeric combinations to protect their data. Whether it’s the name of a loved one, pet or your town, all real words are subject to something called a dictionary attack, where a hacker will try from “Aardvark” to “Zulu” and “Abigail” to “Zane” to try and guess your password. Oh – they’ll try those with numbers on the end as well, so you might want to rethink putting “123” after them.

Complex passwords don’t have to be hard to remember. If you want a password that is difficult to guess and attack, try these ideas:

1- Substitute: Try swapping letters for numbers and numbers for letters. The original way of doing this was to substitute vowels for numbers. 4 for A, 3 for E, 1 for I, zero for O – but I’d recommend mixing it up further, perhaps using 1 for the letter L or 5 for S.

2- Mnemonics – Where you use an apparently random sentence of words to aid your memory of the real words – or in this case letters.

For example, if you were born in 1976, you could use “I was born in 1976” to generate “iwbi1976”. This is a start, but not as tough (strong) as we’d like our password to be. Make it “Iwbi1976!” and it gets a whole lot better – the capital I at the beginning and exclamation mark helps as well. Using other stuff that’s easy for YOU to remember but NOT anyone else is a great way to create very strong passwords. Combining both Mnemonics and Substitution together is also a good way to harden the password further.

3 – Password safe/manager – While it is good security practice to change passwords regularly the human brain has finite storage for all of them – so if you need to, use a secure password “safe”, such as KeePass, to store them all, protected by only one, albeit complex code. See http://keepass.info for more information.

Many password managers also have functionality to let you use a security device, such as a special USB key, to generate a one-time code that unlocks the database. Even if that code is observed, it cannot be used again.

Some other helpful hints:

Don’t link accounts together. Simple examples of linking include Linkedin and Twitter, but many services now allow you to use these accounts to authenticate with their services. If one gets hacked, they all get hacked. Linking makes it all seem easy, but that has obvious drawbacks when you pause and think.

Consider using a slightly “false” date of birth on social media sites. It’s obvious you’ll run into trouble if you do this with your bank but you’ll be giving less away using a DOB that’s not quite on the mark on a public website. That way, when the social site announces to everyone “Happy Birthday” people won’t be able to use your age in your profile to calculate your date of birth.

Think about password recovery. Make sure you complete those secret question and answer services and use backup email accounts for emergency resets. Providing your mobile number is a great way to prevent unauthorised password resetting. Use different secret Q&A’s on different sites.

Try and use an alternative email address for specific services. If your email address is something like [email protected], why not use [email protected] for twitter and [email protected] for your bank. Try and avoid using free and public email accounts for important, financial and secure services.

With your email address becoming a single, ubiquitous username on many sites, mixing it up will really help protect you.

While following these steps won’t make you “unhackable”, they will seriously reduce the likelihood of it happening and at worst, the damage caused will be less of a problem.

I’ll finish with one chilling example, for which I make no apologies. Let’s suppose you have a Gmail account and an iTunes account. Your mobile phone is your life – but you back it up, so that’s not a problem. A hacker hacks your Gmail account, either because of an easy to guess password, compromise of another site where you use the same password or perhaps a keyboard logger. From your email, the hacker can see you have an iTunes/apple account. He/she then goes to that service and requests a password reset. Your (now hacked) email account receives the reset link from Apple. The hacker then logs into your account and downloads your iCloud contents. That might come in handy to hack your friends. They then delete your iCloud storage. Then they delete most other stuff. Then finally, they perform a remote wipe on your phone. You’ve lost everything. All your family photos. All your contacts. You’re at work. Your phone has been wiped. Your phone requires a password you don’t know.