You are here: Home » FidoNet » What makes a password secure?

What makes a password secure?

Keeping our data secure is something we should all want to do, and need to do to protect ourselves our families, and our finances!

In movies we see flippant comments such as “I bet your ATM PIN is your birthday” or your wife’s birthday … In reverse? And “mission impossible” analysts cracking passwords in just a few seconds using super computers. But this is Hollywood, right?

We are all told to choose a secure password, generally the advice is to choose something with a number in it and maybe a mix of upper and lower case letters … The passwords we then choose look “unguessable”, but are they really uncrackable? And of course we use a different password for every site we visit as no-one would be foolish enough to use the same password everywhere would they? Would they?! Ok so in reality most people use the same password everywhere because otherwise they’ll never be able to remember all the passwords they use on all the sites around he Internet.

And then of course there are those people who simply choose “password” or those who ignore the subliminal message from their IT department when issued with a password of “ChangeMe” or similar.

So what should we choose? Computer script exist today which can crack a password based on a dictionary word in a matter of seconds. Changing the vowels for numbers makes it look secure, but scripts already check for 0 instead of o or O and so on. It might mean pass 3 or pass 33 but that still takes less than 0.7 seconds of computational time to process.

Every day we see botnets scanning our network for vulnerabilities, and trying to “guess” passwords based on dictionary words, previously cracked passwords and so on.

So what should you do? Well in an ideal world, you should have a unique password for each site, or even better a single sign on, one time password mechanism for every site … which is fine until the one time password (OTP) algorithms are hacked or compromised. But we have to trust in someone, so using something like RSA’s SecurID or an open source OTP system is one way. But that isn’t for every one.

You could also invest in an application such as 1Password. This is actually something we here at Fido use a lot. We use it to generate random passwords for customer accounts, our own accounts and more. It keeps a unique password for every site we visit locked away in an encrypted / secure database.

Which is fine until we lose the backup of the backup of the data file, along with the originals and all the other backups 🙂

Not everyone is going to invest in 3rd party applications, or security systems though … so here are a few tips to try and help you generate passwords which will at least give the hackers a run for their money.

Never rely on a dictionary word. Don’t assume just putting 123 on the end will make it secure, and try to use punctuation (,.?’!$) etc in the password if the remote site will let you (some sites filter this as an attempt at an SQL injection attack).

Try to use long passwords. If you are going to use a dictionary word, obfuscated or not, try to use 2 linked with something like a number and/or punctuation

Try something like verity%15chastity12 or similar .. not just chastity123 which would take about 0.3 seconds for a brute force attacker to crack.

Above all, think smart. And of course, don’t write it down and leave it on a post-it note on your desk for the next person to spy when they look over your shoulder … remember people in the office are potentially as much of a threat as the Chinese or Russian script kiddy who’s bored on summer break and wants to take control of your account so they can steal your credit card details or hack your computer and sell your CPU resources and internet connection into a bot-net slavery ring somewhere!

If you do have the budget for an OTP solution (which can be anything from a few hundred pounds upwards) then talk to us and we will try to help you choose the right solution. We offer RSA security solutions as well as lower cost open source based solutions for all budgets.

Fido.Net’s team of experienced engineers and management have been working in the internet industry since its inception in the UK back in 1992. Jon Morby, the founder and owner of Fido.Net originally started in IT as far back as 1982, and was one of the UK (and Europe’s) main importers of both email and echomail for the fidonet network of amateur bulletin boards, running the fidonet.org Internet gateway from 1985 through to 1994. Jon Morby - founder of Fido.Net. Although enjoying a successful career in Stock Broking working out of the Birmingham Stock Exchange, Jon felt the real future was in the Internet; and after some persuasion by Demon’s then Managing Director Cliff Stanford, Jon joined Demon Internet Ltd, initially responsible for their Birmingham Point of Presence (PoP) from 1993 to 1995 and then moving to London to supervise Demon’s growing technical support team. By the time Jon finally left Demon in January 2000 he was their Advanced Technologies Manager responsible for managing the development and implementation of the next generation systems which Scottish Telecom (now Thus PLC) and Demon would be rolling out over the next 3-5 years – a far cry from his original days running a support desk of 5 staff! Fido.Net’s senior staff have had a grounding in the Internet with the majority of them having worked for ISP’s such as Demon Internet, EasyNet and other main stream UK Service Providers, as well as some of the first large Internet Portals (including online trading experts The Interactive Investor, and the not so successful boo.com).

https://www.fido.net

Leave a Reply