Perfect your password

Too many people are disregarding the security risks of using simple passwords online. But, in trying to avoid the hassle of creating strong passwords, you endanger your personal information.

 “A good password needs to be memorable but also hard to guess,” says Joseph Bonneau, a cryptographic scientist and a PhD candidate in the Security Group at the University of Cambridge Computer Laboratory. One of his areas of expertise is human authentication systems, including passwords, PINs and other means of how humans prove their identity to a computer.

A proven effective technique to create strong passwords is to use mnemonic sentences, says Bonneau.

“You pick a phrase you can remember, like: ‘I always go to Moe’s for drinks on Fridays,’ which can turn into the password: ‘Iag2MfdoF’. That’s quite hard to guess.”

Weak passwords are often closely related to your username or the website you’re visiting. For example, using the password ‘Facebook’ for your Facebook account is not advisable. Nor is the password ‘JohnDoe, if your email address is Contact.

One of the most popular passwords globally remains, simply, ‘password.’ Also used regularly are ‘123456’ and ‘qwerty’, the first five letters on the home row of an English language keyboard.

“Amateur hackers will try typing these into random accounts expecting that maybe 1 per cent of the population uses them,” says Bonneau.

To craft a solid password, Dr. Ann Cavoukian recommends using the same word in two different languages interspersed with numbers.

“Because I’m Armenian, I always use a combination of the same word in English and Armenian,” says Dr.  Cavoukian, the Privacy Commissioner for the Province of Ontario, Canada. “If you do that, and then separate the words by a number and throw in an exclamation mark, then you have strengthened your password enormously.  Because you’re not using words from a dictionary, you’re less vulnerable to what’s called a dictionary attack.”

A dictionary attack successively tries all the words in an exhaustive list, usually derived from a dictionary. Such attacks are often successful because so many users choose short passwords without interspersed numbers which can be found in a dictionary.

But the strength of a password will also depend on what it is for.

 “The creation and use of a password should include the system and environmental variables around it,” says Dr. Cavoukian. For example, the PIN number you type into an ATM may only be four numbers, but it is also protected by the security infrastructure surrounding that ATM, such as security cameras.  Additionally, you may only get three attempts before being locked out of the system.

“But, in most other situations, such as on your home computer or at your work place, you don’t have that security infrastructure,” she says. So users must take charge of their own security.

Bonneau recommends keeping passwords grouped by order of high-value and low-value. For example, for a blog or other inconsequential website, you might want to use something simpler. But for sites that house your personal or banking information, always use your strongest passwords.

But it is not only guessable passwords that can put you at risk.

Bonneau points that a database of 32 million passwords was stolen by hackers from RockYou, a popular social gaming site, in December.

“Poor website security continues to cause passwords to be exposed,” he says. “Also, many people use the same passwords for multiple sites.” That practice is a no-no because, if your password is discovered, it could potentially be used to unlock information stored at additional locations.

“Registering passwords in as few places as possible is a good step,” says Bonneau. “And avoid registering a password unless you expect to visit a site frequently.”

The ‘password reset’ option offered by many sites can also be a weak security point.  Many websites will send you a pre-selected reminder question if you forget your password. If you selected a simple question with a well known answer, such as ‘What street do you live on?’ many people could potentially access your information.

Password security also includes keeping your password itself safe and confidential.

Phishing scams – or tricking someone into typing their password into a fraudulent website – remain the most common way for hackers to get hold of a user’s password. People should always take care that they are only entering a password into authentic sites. Microsoft offers a few tips on how to recognize phishing emails or links.

While individuals need to ensure that their passwords are strong and secure, Businesses and organizations also have responsibilities to protect the passwords of their staff.

“It is incumbent on management to drive these messages of password security to their staff on a regular basis,” says Dr. Cavoukian. “Also, a company’s system administrator must protect the password database with the highest level of security.”

But asking companies to encourage the use of stronger passwords can also lead to security issues, explains Bonneau.

“Research has shown that almost anything companies do to try and encourage stronger passwords, like, say, having a minimum length requirement or requiring periodic changes, leads people to write down their passwords because they can’t remember them,” he says. “That just makes the security situation worse.”

Sometimes new security measures that prompt users to develop stronger passwords can be annoying, Dr. Cavoukian admits. Increasing in popularity, password strength meters, which may reject a user’s proposed password if it is deemed too weak, are often criticized as frustrating.  

But, says Dr. Cavoukian, users will ultimately be thankful for the increasing efforts to keep passwords secure.

“It may drive some people crazy,” she says, “but, ultimately, it’s a very good thing.”

By Rachel Sa

* indicates mandatory field


You must be logged in to post a comment.