Passwords and Security

Whether we like it or not there are people out there trying to gain access to your data. Hackers these days are not spies only after top flight industrial secrets, but are far more likely to be a spotty-faced teenager in a bedsit in Hackney trying to hack your Facebook account or buy a plasma television on your credit card.

But the main protection we have on the computer systems and web sites we use every day is the password, and yet this is frequently considered to be unimportant. Users set the simplest of words on their bank accounts, and then use exactly the same username and password combination on social network sites or on web shops run by a man and his dog from a shed in Germany.

So when you are next setting a password or logging in to a web service, think on these facts and see if you have made any of the more common mistakes...

Whether you are using a social networking service, an office computer or your banking system the password you configure is frequently the first and only line of defence between your data and people who want to steal it, mess it up, or use it fraudulantly, and yet a few recent independent surveys reveal alarming security practices around the use of passwords. Breaches in security can occur in many ways that do not involve the compromising of an insecure password, but it is the most common place to start.

The results of a recent survey show that:

  1. About 30% of users chose passwords whose length is equal or below six characters making it easy to guess or to use brute-force attacks.
  2. Almost 60% of users chose their passwords from a limited set of alpha-numeric characters such as all lower case letters or all numbers, the excuse often being that it is easier to type.
  3. Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
  4. The most common password in use is “123456” (yes, that really is the six numbers 1-6 in order !). The word 'password' is also extremely common, as is the user's own birthday, or even the simple word 'birthday'.

So what is the best way to combat password theives and hackers? Quite simply, the best way is to make your password harder to guess:

  1. Use strong passwords 8 characters minimum - Mixed case, numbers, special characters etc, and not a complete word especially a name or something related to you.
  2. Passphrases are good when allowed, in conjunction with mixed case, numbers, and or special characters, for example.... "Bl0nd3 Elephan7" .

Another serious problem is the practice of sharing credentials between sensitive and non-sensitive (or untrusted) web sites.

  1. 73% of users share the online banking password with at least one non-financial website.
  2. 47% of users share both their on-line banking user ID and password with at least one non-financial website.

Keeping a different password for each system you use makes them more secure but is unworkable as no-one can remember that many passwords. But a good basic compromise is to keep keep three of sets of non related credentials, one for financial systems, one for social networking sites, and one for work or office systems.

Change your passwords regularly but don't make them so complex that you have to write them down on a post-it stuck to your laptop. If you do have to write them down to remember them put them in a phone book concealed amoingst other data so they are not obvious or guessable.

Password reset questions and answers are also a bit of a problem. When they first started the idea of only you being likely to know your mother's maiden name sounded sensible. But that question has been used so many times now that every social network site or special interest group you join potentially has that information. So if you have the choice, choose a reset question that is a bit away from the norm.

One last note on this, in 2009 the cost of data breaches to business in the UK was on average £1.68 Million per breach. This is a huge number, and underlines the importance of security in the workplace.