blogarticle

Do you use the same password all the time?

There has been a lot of media coverage recently, after a number of high profile websites " LinkedIn, Twitter, World of Warcraft (online game) and Yahoo " asked users to change their passwords.  This was after a series of well published cyber attacks, in sympathy of the WikiLeaks founder, Julian Assange.  Security experts have concerns about the wider impact of these attacks as many people still use the same password for all website and email accounts .  I am often asked how you are meant to remember so many different passwords, when I tell people they should user different passwords for their systems.

Introduction

padlockWe instinctively use passwords that we can easily remember and the chances are most of us still use the same password for all our user accounts, but we are inadvertently making it easier for hackers and cyber criminals to access our data.  Charlie (our Managing Director) has worked within the IT sector since the late eighties and he has had to argue the case for strong passwords with literally hundreds of people (just how many of those arguments he has won is any bodies guess)!

The problem is that if you use any of the following, you should consider changing your passwords straight away: "

  1. Your date of birth (applies to debit and credit card pin numbers as well).
  2. Your spouses name.
  3. Your siblings name.
  4. Your mothers maiden name.
  5. Your pets name.
  6. Your house name (or something similar).
  7. Part of your address
  8. Information from any part of an online profile.

OK, hopefully I now have your attention!

A hackers approach

As a business we have to constantly develop a security layer that protects our clients data from the outside world.  As a result we see attacks whilst they are in progress and detected a particularly aggressive one a while ago.  When we telephoned the client they explained that they had recruited a security consultant to check their system.  The security consultant said that it was the first time a development studio had detected his checks and banned his Internet Protocol (IP) address, preventing him from continuing.  Suffice to say the client was extremely pleased!

This means we know how hackers approach the task of breaking into your accounts.  “Dictionary attacks” are a technique for breaching user authentication system by trying to determine its password by searching likely possibilities.  These have become more complex as connectivity and processor speeds have increased.  Dictionary attacks succeed because so many people use passwords that are short, single words found in dictionaries or extremely simple, easily-predicted variations on words (such as appending a digit).

Because of this method of attack, also known as “Brute Force” attack we have a policy on our system that a user can only get their password wrong 5 times before the user account is deactivated. This stops this kind of attack by not allowing the hacker to use his whole dictionary (but rather the equivalent “aardvark” through “abandon”).

How to create strong passwords that you can remember?

You need to create a methodology that is logical and therefore will be easier for you to remember (by association).  After reading Derren Brown’s book “Trick of the Mind” I was able to remember the order of an entire pack of cards (shuffled of course), by mental imagery.

Our brains are not great at memorising arbitrary sequences of letters of numbers. It has been advised that a strong password should be at least 12 digits long! For example look at this for 10 seconds turn away and try and remember:

2sct2mwd14mc

However our memory does react very well when things are relate-able to our lives in a spacial environment. Imagine your morning routine. You get out of bed, perhaps clean your teeth, put on your slippers, go downstairs look at the paper, etc.  Imagine it in your minds eye.  Notice how you can progress chronologically through without much effort. It is not something you can easily forget. An alternative might be to remember your route to a local shop. Any trip can be used as long as it contains enough places. What appears on the way? Lets use these memories to to create a memorable password:

I need a password for my home wi-fi. I will associate this with my morning routine because checking the internet is the first thing I want to do (sad, I know).

I get out of bed and put on my 2 slippers (2s)

I clean my teeth for two minutes (ct2m)

I walk down my 14 steps (wd14)

I make a coffee (mc)

Obviously fit the circumstances around your daily routine. Try to use activities that include numbers. What do you notice? This creates the same password as before but instead of it being just a random sequence it is a code that is easily memorable by thinking of your morning routine. This is just a simple example of how you can associate something. If you would like to read more on the topic I would suggest Derren’s book. He describes how you can easily associate every number with an everyday item through numerical phonetics. You then can remember a string by placing these everyday items on a remembered “trip” and simply walk through that trip to remember the digits. A couple of tips from me:

  • Make the items on situations incredible. This will inspire your mind to remember them as they are unusual.
  • Only use one or two trips.
  • Try not to say your trip out loud when inputting your pin number; it will make you sound mad!

This may seem a little crazy, but it actually works. As stated I was able to memorise the placing of 52 cards after just looking at them for 5 minutes. This included not just the sequence but even their placement in the deck.

“What card is at position 37?”

“Easy” the number 37 uses 3 (m) and 7 (t) " which equates to the word “mat”. I remember on my route there was a huge dog sitting on a mat. D relates to diamonds and G relates to 9. Therefore the 37th card is the 9 of diamonds”.

The following is Derren’s own quote of how to remember the sequence 876498474505773498724. He eludes to the code he has made for each digit:

0 " Z/S                      5 " F/V
1 " L                           6 " B / P
2- N                           7 " T
3 " M                          8 " Ch/Sh/J
4 " R                           9 " G

“I hear a countdown from eight, but the counter realises she’s missed five, and stops (8764). Fair enough, she’s nearly a hundred years old (98) and even get airplanes muddled up (474 instead of 747). The airplanes fly over her beehives… she had three beehives in a row but the middle one  is missing (505), so she put a ToTeM (773) pole in its place. She did this for her 98th (498) birthday. I only gave her a TeNneR (724) as a gift.”

By just learning a number / letter system and keeping in practised you have just remembered a 26 digit password by simply reciting a memorable story. Although it may sound convoluted it is a lot easier than you think.

Conclusion

There have been several suggestions and even some implementations of Internet Passports " a mechanism for storing all your user account details in one secure location " but these aren’t in widespread use.

What is essential is that you take responsibility for your own security on the internet. We advocate various systems for memorising, that can be used effectively to create unique secure passwords. If any of your passwords fall into our earlier list of “dont use” information, there is no time like the present to start proverbially changing the locks!

Resources

Internet surfers told to change passwords after hackers strike
Dictionary attack
Kaspersky CEO: You need an Internet ‘passport’
Derren Brown: Trick of the Mind " ISBN 9781905026265 " Amazon

Date: 16/12/2010

gettingintouch

If you like to get in touch, please telephone our offices on +44 (0) 1364 582017 or complete our on-line form and we'll get back to you as soon as possible.

stayingintouch

Stay in touch with what we're up to at Ayrmer Software by following us on one of our social media feeds: we'd be delighted to welcome you as a follower on twitter, become friends on facebook or add us to your circle on Google+. You'll also find us on Linkedin, of course.