From the Actrix Online Informer June 2010
Does your password pass?
by Rob Zorn
This is an updated version of an article we ran back in 2008. Back then we had a problem with spammers guessing customers' account passwords, and then setting up sub mailboxes under those accounts to use as e-mail addresses from which to send spam. It would appear they are at it again.
Spammers can crack passwords very quickly using programs designed to do 'brute force' username/password guessing. The software cycles through a bunch of common passwords, hoping to hit a match that works. Because a surprising number of people have poor passwords – they tend to have a lot of success.
And if they've cracked your account in order to set up a mailbox, they can also read your mail and get up to all sorts of other worrying mischief. They probably won't because they want to remain hidden, but that's hardly comforting!
In response we will soon be strengthening the minimum requirements for passwords and contacting at-risk users advising them to change their passwords. The new minimum requirements for passwords will be that each must contain at least:
Below we'll suggest a system you can use to come up with a password that contains all these things, is very hard to crack, but is also very easy for you to remember, and even to vary for different log-ins. We'll also tell you about how to change your passwords and settings.
But first, there are a number of generalisations about Kiwis and their passwords. We have a number of bad password habits that might make it easy for baddies to guess or 'brute force' them.
1) The most common form of password is either a pet's or child's name with the digit 1 after it. I think this is because many people don't think about a password until they're setting up an account or log in. Typically they are informed that a password should have letters and numbers, and the first thing that comes into their head that they think they will remember is their child's (the firstborn, or the most recent-born is the most common) or their pet's name. The 1 gets added because they have to have a number in the password and this is the easiest number to remember.
If I wanted to guess your password, then, I would try a few combinations on your kids' or pets' names first. A 'brute force' bot program will be able to try thousands of combinations around common pet or child names in seconds.
2) It is extremely common for people to substitute letters for numbers that look like letters. The letter 'o' gets replaced by a zero. The letters 'i' or 'l' get replaced with a 1. The letter 's' gets replaced by a 5, 'g' by a 9, etc. So using your kids' or pets' names and substituting numbers and letters isn't going to slow down the spammers' bot programs for long.
3) Many people still use a birth date or part of their phone number for the required number(s) in their password. These may be easy to remember, but such numbers are also easily guessed. Short combinations of numbers are also little problem for the bots.
4) Almost unbelievably, some people still think the most obvious password is the one that will never be guessed. They may use the word "password" or pa55word," or phrases like "letmein" or "opensesame" and think they're being really clever. Unfortunately, they're not nearly as original as they think they are. Be sure the 'brute force' bots know about all of these!
5) Many people go years without changing their passwords. Reasons for this would include them not finding the matter important, or just having too many passwords at all sorts of different places, so the thought of changing each one becomes all a bit too much. Probably too, a lot of people have forgotten their passwords, and sometimes you need to know your password before you can change it.
There are two schools of thought on how often to change your password. Some argue that if you have a really good password, then you don't need to change it all that often. They may be right – but the key point is having a really good and uncrackable password that bears no apparent semblance to any real word.
6) People use the same password at various places. Again, this is done so that not too many passwords need to be remembered, and the same password can be used for logging onto the Internet, onto the banking site(s), the auction site(s) and the online dating site or web forum. Unfortunately, though, if your password is harvested, and the harvester suddenly has access to everything you've got.
Okay, so how can you choose a good password?
A good password should be a mixture of letters and numbers, and there should also be a mixture of capital and lower-case letters. But a good password also needs to be easy for you to remember, and for most of us, remembering a string of gobbledegook (e.g. kq9Ph3I9) is not easy.
One suggestion is to think of a core password that would look like gobbledegook to anyone else, but would make sense to you because you know its key. You could then use that core at all of your different log-ins, with a unique variation added to it (also easy to remember) for each separate log in.
Confused? Let me explain.
Think of a short phrase such as a line from a nursery rhyme (e.g. "to fetch a pail of water") and reduce it to a series of letters. The core of our password suite will thus become "tfapow". Next change the "to" to the numeral 2 and the letter o to a zero. Our password is now 2fap0w (which isn't too hard to remember if we know how it was derived).
The next step is to think of a unique identifier for each of the sites where you log in. The main colour of a site might be an example. So, if I was logging into my Westpac banking site (mainly red in colour), I might add RE to the front of the password. As soon as I accessed the Westpac site, the main colour would remind me that my password for this site starts with RE, and because I've memorised the core password, I can remember that my password is RE2fap0w. If I was logging into an ANZ web site my password would be BL2fap0w. Of course, colours is just one option. Perhaps there's some other unique identifier for each site: the first or last two letters of the company's name... use your own creativity to find a pattern that works for you.
Next time I change my core password to hd50aw (Humpty Dumpty sat on a wall), my password at the Westpac site would change to REhd50aw.
Another simple method for choosing passwords is to use nonsense syllables and separate them with numbers such as the following: breeN91gilB, ritT81bleeG, or fiM43drutT. Nonsense syllables are easier to remember because they are pronounceable, but they won't make sense to anyone else, and are therefore pretty un-guessable. However, if you're changing your password regularly, these become harder to remember, in my opinion, because there is no system to them.
How and why should you protect your password?
It is one thing to choose a good password that is not easily guessed, but the best password in the world is of little value if you are careless with it.
The most obvious thing that comes to mind here is phishing scams. We've all had those e-mails turn up that purport to come from our ISP, or from PayPal, or Trade Me, or eBay, or our bank warning us that we're about to be cut off or that something has gone wrong with our account, and could we please go to a special page to log in and stop this terrible thing from happening. Of course, behind the scenes, this web page only looks like the authentic one, and it is really designed to capture your log in details for some hacker's nefarious purposes.
Most people are probably aware of phishing scams by now, and are less likely to fall for them, but hackers and web-tricksters are always finding new ways to part people from their passwords, and a high level of suspicion regarding any request for your password is appropriate. Reputable companies have a policy never to request your password in an e-mail, so anyone who does it is highly suspect.
Writing your passwords down is a bit of a tricky one. If they're written down on a piece of paper (and some security advisors recommend this instead of storing them electronically), then they are not vulnerable to a hacker who may have compromised your computer. They are, however, vulnerable to anyone who might be looking through your drawers or papers.
It's generally good practice, too, not to have your user name and password (e.g. dialup or browser-based log-ins) remembered automatically by your browser. If you do this, and your computer is stolen, make sure you contact your online providers immediately to have the password(s) changed.
Lastly, exercise extreme care in choosing who you share any password with. I have been surprised on more than one occasion to find that customers have complained someone else has been using their account and it turns out to be an ex-boarder, or someone with whom they've had a relationship break-up. Our terms and conditions state that your account is for your use alone. Understandably, couples etc will be sharing accounts and we don't mind that, but you give your password out to anyone else at your own peril, especially if you forget to change it once they've moved on.
Some general dos and don'ts by way of summary
Copyright © 2010 Actrix Networks Limited | Contact: email@example.com