From the Actrix Online Informer August 2007
by Rob Zorn
This is an updated version of an article we ran back in October 2005. Always masters of innovation, spammers have begun a new tactic of guessing people's main account passwords, and then setting up sub mailboxes under the accounts to use as e-mail addresses from which to send spam.
One of the reasons they like to do this is because most ISPs' e-mail servers don't allow relaying (sending e-mail from addresses they don't know about or can't verify). If a spammer in, say, Asia or the United States, had cracked an Actrix account, they would theoretically be able to connect to the Actrix mail servers and start sending spam through them because we'd see them as a legitimate customer. We might soon question the volume of mail they were sending, but the point is they'd be able to do it for a while, and they'd be near impossible to trace.
And if they've cracked your account in order to set up a mailbox, they can also read your mail and get up to all sorts of other worrying mischief.
It doesn't take long for them to do this, because spammers have bot programs especially designed to 'brute force' username/password guessing. This heavy duty software cycles through a bunch of common passwords, hoping to hit a match that works. Because a surprising number of people have poor passwords - success is virtually guaranteed for them in no time.
It is also reasonably common for customers to contact us because someone else has their password and is using their account. They've either guessed it or found it written down somewhere.
When it comes to robust and secure passwords, there are two important issues that should be remembered. Firstly, passwords need to be well chosen so that they are not easily guessed or cracked by 'brute force' bot programs. Secondly, they need to be protected. This article will look at both of these issues. We'll finish up with a summary of general dos and don'ts.
But first, there are a number of generalisations about Kiwis and their passwords that could be made from experience in dealing with customers and passwords over the years. Kiwis have a number of bad password habits that might make it easy to guess of 'brute force' their passwords.
1) The most common form of password is either a pet's or child's name with the letter 1 after it. I think this is because many people don't think about a password until they're setting up an account or log in. Typically they are informed that a password should have letters and numbers, and the first thing that comes into their head that they think they will remember is their child's (the firstborn, or the most recent-born is the most common) or their pet's name. The 1 gets added because they have to have a number in the password and this is the easiest number to remember.
If I wanted to guess your password, then, I would try a few combinations on your kids' or pets' names first. A 'brute force' bot program will be able to try thousands of combinations around common pet or child names in seconds.
If that didn't work, I might also try a few combinations around anything else I might know to be important to you - your favourite singer, or something to do with your hobbies or sporting interests. If you were an Highlanders supporter, for example, I'd start with combinations around the word "anton" or "oliver." The very worst form of this sort of lack of thought is when a password is arrived at by simply adding the number 1 to the username.
2) It is extremely common for people to substitute letters for numbers that look like letters. The letter 'o' gets replaced by a zero. The letters 'i' or 'l' get replaced with a 1. The letter 's' gets replaced by a 5, and the letter 'g' gets replaced by a 9, etc. So, if I was that Otago fan (and they're only my second favourite team, by the way) my password might be ant0n0l1ver. Anybody who knew me reasonably well and who was familiar with password trends and habits, would probably have worked this one out in less than ten tries.
3) Many people still use a birthdate or part of their phone number for the required number(s) in their password. These may be easy to remember, but such numbers are also easily guessed.
4) Almost unbelievably, some people still think the most obvious password is the one that will never be guessed. Some people use the word "password" or pa55word," or phrases like "letmein" and think they're being really clever. Unfortunately, they're not nearly as original as they think they are. Be sure the 'brute force' bots know all of these!
5) Many people go years without changing their passwords. Reasons for this would include them not finding the matter important, or just having too many passwords at all sorts of different places, so the thought of changing each one becomes all a bit too much. Probably too, a lot of people have forgotten their passwords, and sometimes you need to know your password before you can change it.
There are two schools of thought on how often to change your password. Some argue that if you have a really good password, then you don't need to change it all that often. They may be right - but the key point is having a really good and uncrackable password that bears no apparent semblance to any real word.
6) People use the same password at various places. Again, this is done so that not too many passwords need to be remembered, and the same password can be used for logging onto the Internet, onto the banking site(s), the auction site(s) and the online dating site or web forum. Unfortunately, though, if your password is harvested, and the harvester knows anything about you, they suddenly have access to everything you've got.
Okay, so how can you choose a good password?
A good password should be a mixture of letters and numbers, and there should also be a mixture of capital and lower-case letters. But a good password also needs to be memorable, and for most of us, remembering a string of gobbledegook (e.g. kq9Ph3I9) is not easy, especially if we have lots of different passwords to remember.
One suggestion is to think of a core password that would look like gobbledegook to anyone else, but would make sense to you because you know its key. You could then use that core at all of your different log-ins, with a variation added to it that pertains to the particular log in.
Confused? Let me explain.
Think of a short phrase such as a line from a nursery rhyme (e.g "to market to buy a fat pig") and reduce it to a series of letters. The core of our password suite will thus become "tmtbafp". Next change the "to" to the numeral 2 and the b to an 8 (which looks like a capital b). Our password is now tm28afp (which isn't too hard to remember if we know how it was derived).
The next step is to think of a unique identifier for each of the sites where you log in. The main colour of a site might be an example. So, if I was logging into my National Bank (mainly green in colour) web account, I might add GR to the front of the password. As soon as I accessed the National Bank site, the main colour would remind me that my password for this site starts with GR, and because I've memorised the core password, I can remember that my password is GRtm28afp. If I was logging into an ANZ web site my password would be BLtm28afp. Clear as mud? Of course, colours is just one option. Perhaps there's some other unique identifier for each site: the first or last two letters of the company's name... the first two vowels?
Next time I change my core password to lb15fd (london bridge is falling down), my password at the National Bank site would change to GRlb15fd. My password at the ANZ site would change to BLlb15fd, and so forth. There are probably lots of unique identifiers that could be thought of.
Another simple method for choosing passwords is to use nonsense syllables and separate them with numbers such as the following: breeN91gilB, ritT81bleeG, or fiM43drutT. Nonsense syllables are easier to remember because they are pronounceable, but they won't make sense to anyone else, and are therefore pretty unguessable. However, if you're changing your password regularly, these become harder to remember, in my opinion, because there is no system to them.
Should you use non alpha-numeric characters marks in a password?
Of course, including non alpha-numeric characters in a password makes it harder to guess, but it also has some drawbacks, and a good combination of letters, numbers and capitalisation should make your password robust enough. Non alpha-numeric characters are harder to remember, and if you're changing your password regularly, memorability becomes an issue. Keep in mind, too, that Actrix will not allow any non-alphanumeric characters apart from _ (underscore), - (dash) and + (plus). Also, a double dash (--) is not allowed.
How and why should you protect your password?
It is one thing to choose a good password that is not easily guessed, but the best password in the world is of little value if you are careless with it.
The most obvious thing that comes to mind here is phishing scams. We've all had those e-mails turn up that purport to come from our ISP, or from PayPal, or Trade Me, or eBay, or our bank warning us that we're about to be cut off or that something has gone wrong with our account, and could we please go to a special page to log in and stop this terrible thing from happening. Of course, behind the scenes, this web page only looks like the authentic one, and it is really designed to capture your log in details for some hacker's nefarious purposes.
Most people are probably aware of phishing scams by now, and are less likely to fall for them, but hackers and web-tricksters are always finding new ways to part people from their passwords, and a high level of suspicion regarding any request for your password is appropriate. Reputable companies seek to combat phishing by making it their policy never to request your password in an e-mail, so anyone who does it is highly suspect. The general rule of thumb is to never give it out unless you are sure you someone isn't trying to hoodwink you. If in doubt, get on the phone to the company in question, or call our friendly help desk for advice (0800-228749).
Writing your passwords down is a bit of a tricky one. If they're written down on a piece of paper (and some security advisors recommend this instead of storing them electronically), then they are not vulnerable to a hacker who may have compromised your computer. They are, however, vulnerable to anyone who might be looking through your drawers or papers. The general rule of thumb here is to never store your passwords electronically (e.g. in an e-mail or WORD document). If you can't remember them or must write them down, make sure you lock them in a filing cabinet or somewhere else no one will have access to.
It's generally good practice, too, not to have your user name and password (e.g. dialup or browser-based log-ins) remembered automatically by your browser. If you do this, and your computer is stolen, make sure you contact your online providers immediately to have the password(s) changed.
Some sites allow you to retrieve your password by means of a question and answer if you have forgotten it. Usually there will be a series of standards such as what is your mother's maiden name, or your city of birth, and you can lodge an answer to one of these questions when you first set up your log in. If you forget your password, the sites will give you the question, and e-mail your password to you if you can answer it correctly. Sure, they only e-mail it to you, they don't just give it out, but most people's security is breached by people who already have access to their computer, and therefore won't have too much trouble getting access to any e-mail containing your password sent to you by the site. Generally, this whole process is a good idea, but you really need to make sure you choose a question and answer no one will know the answer to but you. If at all possible, use a question and answer of your own, and make it a hard one!
Lastly, exercise extreme care in choosing who you share any password with. I have been surprised on more than one occasion to find that customers have complained that someone else has been using their account and it turns out to be an ex-boarder, or someone with whom they've had a relationship break-up. Our terms and conditions state that your account is for your use alone. Understandably, couples etc will be sharing accounts and we don't mind that, but you give your password out to anyone else at your own peril, especially if you forget to change it once they've moved on. This is even more serious a risk when it comes to your banking password.
Some General Dos and Don'ts by way of summary
Copyright © 2007 Actrix Networks Limited | Contact: firstname.lastname@example.org