Wednesday, May 1, 2013

Just How Predicable are you and is Your Online Identity Safe?

Through 2 decades of effort we have all been successfully trained to use passwords that are hard for humans to remember, but easy for computers to guess.


A number of online companies, such as Twitter this February, having part of their user base hacked should be showing us, that for the majority of us our passwords are vulnerable – we are just too predictable.

There are some who believe password security is largely irrelevant for the majority of users as the types of security vulnerability that are most frequent don’t really expose users to much threat because, in reality, criminals are not going to want to give your linkedIn identity a new job as Neuro-Surgeon at the Royal London or even be bothered to slander your current boss on an status update. In part I’m sympathetic to this perspective although I worry that cumulative effect from password-jacking is to weaken the whole system and end up making us all use unbearably hard to remember access keys – my bank currently requires 3 keys to get access to my account, which I tolerate because its my money and the more protection the better but I’m not sure I’d tolerate it from a social networking site.

So here are a few pieces of general advice and information about passwords and how we can all try to be just a bit more unpredictable.

 
·        Keep passwords to yourself. 

·        Avoid obvious passwords such as your name, the year you were born etc – these are easy to ‘crack’.  Also you may think you are being good by having a simple unrelated password but if your password in the list below you should really consider changing it.

The Worst Passwords of 2012, including their current ranking and any changes from the 2011 list:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

Source: Splashdata

 
·        Go for longer passwords – WordsFourOrderRandom is significantly stronger than mYp4$$, although W0rd$F0urOrd3rR4nd0m is stronger still but more forgettable.
·        As a general rule a lot of us use the same email/password combination for most if not all of our online accounts and this practice leaves you vulnerable.  It’s perhaps worth thinking about your personal level of security and consider a per account password methodology. 


One approach is to set a template for passwords using a regular, memorable to you word, some punctuation and a magic number, then adding something about the account you are logging into to make it unique for that site. For example, at twitter your password might be regular#three&words!25birdy then at facebook regular#three&words!25facial and at linkedIn regular#three&words!25pros – this way you have a very strong password that is unique to every account but is more than 80% the same. You only have to remember the last bit on a site by site basis. There is a weakness to this method in not all sites allow you to use punctuation marks and some sites have a maximum character length for the password. At some point in the future it’s also possible that a criminal with two sets of the passwords could work-out the basic system.  For the moment though, it defeats the most common ways that user security vulnerabilities are attempted.

 
If you would llike to test the strength of your passwords there is a good quality strength-test located here http://dl.dropbox.com/u/209/zxcvbn/test/index.html

Post by Laura Anderson, The Women's Organisation

No comments:

Post a Comment