What’s in a password?
LinkedIn and Last.fm are the latest services to have users’ passwords compromised, making it all the more imperative to create strong, secure passwords. By Craig Wilson.
Every new service you sign up for online requires a password or PIN, and staying on top of the burgeoning list of login details often leads to laziness. But recent security breaches of sites like LinkedIn have once again highlighted the importance of developing a good password strategy, even if the idea sounds about as exciting as a trip to the urologist.
For many people, one password is more than enough to remember and so they’re inclined to use the same password for every website or application. Of course, this is a staggeringly bad idea. So bad, in fact, that, were there awards for crummy ideas, this might just win the lot of them.
At the very least consumers should always have unique passwords for each e-mail and online banking service they use. Those passwords shouldn’t just be vastly different from one another, but different from the passwords used for other services like Facebook, or Twitter, or your pug-focused Pinterest account.
E-mail provides a potential fraudster with an incredible amount of data, including which bank you use, where you live, what your real name is and which social media services you use. So, too, does social media. All of this information makes it that much easier to turn one chink in your digital armour into a gaping wound.
By using the same password across services, consumers simply make fraudsters’ lives easier. If a user’s e-mail, online banking and social media passwords are the same, and any of them is compromised, it makes it all the more likely that the others will be, too. After all, it doesn’t take much effort on the fraudster’s part to try other services and the payoff for success is often well worth it.
Ideally, one should assign a different password to every service. Previously, this was just impractical unless you were some sort of savant with a photographic memory.
Today, keeping on top of myriad passwords has been made easier thanks to applications and plug-ins like LastPass, 1Password and KeePass that keep lists of your passwords and are far more secure than the other, often used password repository: a file called “passwords.doc” or “passwords.txt”.
Now that you’ve got somewhere to store your passwords, the problem is creating good ones. The experts are divided on some of the finer points about what makes an excellent password, but they agree on the basics. A combination of lower- and uppercase letters, numbers and symbols is a good start.
The experts are also in agreement that “password”, “1234567890”, “opensesame”, “letmein” and your dog’s/daughter’s/nephew’s name are some of the least secure and easy to guess password candidates you can choose.
Other bad practices include using the same word twice in a row, using any sort of sequential keyboard pattern (like “qwerty” or “asdfghj”), simply appending numbers to the end of a word, or anything personal like your birthday, anniversary, licence plate or telephone number.
A popular approach is to take a random phrase or combination of words and replace letters with numbers — like l with 1, or a with 4 — but these can also prove easy for automated password-cracking tools. A better approach is to use an incorrectly spelt word, or to create a mnemonic password by, for example, using the first letters from each word in a memorable sentence.
Finally, there’s one other thing about passwords: they’re most effective when they’re kept private. Any large company will tell you the biggest risk to security is people. So, even if you’ve come up with a password so impressive and obscure you feel like bragging about it, don’t. — (c) 2012 NewsCentral Media
- Craig Wilson is senior journalist at TechCentral