In movies we see flippant comments such as “I bet your ATM PIN is your birthday” or your wife’s birthday … In reverse? And “mission impossible” analysts cracking passwords in just a few seconds using super computers. But this is Hollywood, right?
We are all told to choose a secure password, generally the advice is to choose something with a number in it and maybe a mix of upper and lower case letters … The passwords we then choose look “unguessable”, but are they really uncrackable? And of course we use a different password for every site we visit as no-one would be foolish enough to use the same password everywhere would they? Would they?! Ok so in reality most people use the same password everywhere because otherwise they’ll never be able to remember all the passwords they use on all the sites around he Internet.
And then of course there are those people who simply choose “password” or those who ignore the subliminal message from their IT department when issued with a password of “ChangeMe” or similar.
So what should we choose? Computer script exist today which can crack a password based on a dictionary word in a matter of seconds. Changing the vowels for numbers makes it look secure, but scripts already check for 0 instead of o or O and so on. It might mean pass 3 or pass 33 but that still takes less than 0.7 seconds of computational time to process.
Every day we see botnets scanning our network for vulnerabilities, and trying to “guess” passwords based on dictionary words, previously cracked passwords and so on.
So what should you do? Well in an ideal world, you should have a unique password for each site, or even better a single sign on, one time password mechanism for every site … which is fine until the one time password (OTP) algorithms are hacked or compromised. But we have to trust in someone, so using something like RSA’s SecurID or an open source OTP system is one way. But that isn’t for every one.
You could also invest in an application such as 1Password. This is actually something we here at Fido use a lot. We use it to generate random passwords for customer accounts, our own accounts and more. It keeps a unique password for every site we visit locked away in an encrypted / secure database.
Which is fine until we lose the backup of the backup of the data file, along with the originals and all the other backups 🙂
Not everyone is going to invest in 3rd party applications, or security systems though … so here are a few tips to try and help you generate passwords which will at least give the hackers a run for their money.
Never rely on a dictionary word. Don’t assume just putting 123 on the end will make it secure, and try to use punctuation (,.?’!$) etc in the password if the remote site will let you (some sites filter this as an attempt at an SQL injection attack).
Try to use long passwords. If you are going to use a dictionary word, obfuscated or not, try to use 2 linked with something like a number and/or punctuation
Try something like verity%15chastity12 or similar .. not just chastity123 which would take about 0.3 seconds for a brute force attacker to crack.
Above all, think smart. And of course, don’t write it down and leave it on a post-it note on your desk for the next person to spy when they look over your shoulder … remember people in the office are potentially as much of a threat as the Chinese or Russian script kiddy who’s bored on summer break and wants to take control of your account so they can steal your credit card details or hack your computer and sell your CPU resources and internet connection into a bot-net slavery ring somewhere!
If you do have the budget for an OTP solution (which can be anything from a few hundred pounds upwards) then talk to us and we will try to help you choose the right solution. We offer RSA security solutions as well as lower cost open source based solutions for all budgets.