Time was when passwords were something that you read about
in spy novels but never actually came across the need to use. As far as I recall it wasn’t until the early
to mid 1990’s that I needed a password at work to access a particular system,
but gradually as the decade progressed more and more work migrated from paper
to PC, there was a proliferation of new systems and applications, each with
need of a password.
By the time I left work at the end of last year I had access
to twenty odd systems that required passwords; a fairly modest number compared
with some people, but still enough to make remembering them all quite exacting.
IT policy in most organisations regarding passwords tends to require users not
to share passwords, not to record them anywhere and to have unique passwords
for each system. Add to this last recommendation the fact that each system has
different requirements vis a vis
password construction; fixed length, variable length, upper case and lower case
letters, numbers, special characters and it is little wonder that most people
record at least some of their passwords somewhere, somehow. My favoured method, and one which even IT
security would grudgingly agree was just about acceptable, would be to have two
spreadsheets in my personal drive; one with a list of systems or applications
and user names, and another with a corresponding list of passwords. These
spreadsheets should have innocuous names that don’t make it obvious they are
password lists and of course, these spreadsheets need to be password
protected! There are propriety apps like
Dashlane or Password Caddy that can be downloaded to a smartphone to store
passwords, although I imagine that many companies would have IT policies that
would not approve their use. Some of these types of apps are free, but some do
charge and personally I would be somewhat wary of trusting my passwords to a
third party app, regardless of how secure they appear to be.
The fact that passwords in most business systems expire
regularly (I had some that expired every ninety days, some that expired monthly
and one that had to be changed daily) makes remembering them all without some
sort of prompt difficult in the extreme, especially the ones not used every
day. Inevitably this means that your typical IT helpdesk spends a
disproportionate amount of time resetting passwords for frustrated users who
cannot remember them.
The need for multiple passwords is avoided by the adoption
of something like Active Directory, a single sign-on (SSO) that allows the user
access to sub-systems once they have logged on to the domain. Obviously a
weakness of Active Directory is that any would be hacker needs only to get through
one password instead of many, so single sign-on types of access control really
need two factor authentication, supplementing the user’s password with a one-time
password (OTP). This type of authentication is now fairly commonplace in
internet banking.
On top of our work passwords we now all have innumerable
passwords for our private transactions. Internet banking, various shopping sites
and social networks all require passwords and again these may all be in
different formats. Often these do not have expiry dates but Clifford Stoll, an
astronomer and author, says “Treat your password like your toothbrush. Don't
let anybody else use it, and get a new one every six months.” Hmm, not sure how
many people follow that advice, and if they do how often they have to click the
“Forgotten Password?” link, unless of course they recorded their new password
somewhere. This becomes even more pertinent as so many applications on your
tablet or smartphone now automatically log you in without needing your password
and most web browsers offer to remember you passwords for you to the extent
that when you do need your password, say when you’ve had to log out of the
site, can you remember it anyway?
A further problem that I find is that, depending on the
website or application, my log on name may be my email address or something
else entirely. While I have no problem remembering my email address, the other
log on names are rather more tricky as they vary wildly and I have lost count
of the times when I can remember my password but not what creation I came up
with as my user name and have to ask for it to be resent to me.
When nearly half a million Yahoo! users had their accounts compromised
last year, research of the passwords that were revealed showed that the top ten
most commonly used included gems like “Password1”, “welcome” and “123456”. Interestingly,
“Incorrect” is not among the top ten; the joke doing the rounds says, “I set my
password to "incorrect" so that Windows reminds me every time I get it
wrong.”
While Yahoo!’s list contains some obviously guessable
passwords, it appears that even apparently “strong” passwords are actually
easily hackable. Well, easily hackable if you employ the sort of talent that
Ars Technica did when they cracked over 15,000 passwords this year, including
the memorable 16 character string, “qeadzcwrsfxv1331.”
Actually, if you test that password in a site like Password Meter (http://www.passwordmeter.com) it only
scores 65% (rating, Strong). A password such as “Password38” rates 66% on the
same site!
Following other advice that IT security experts give, you
should not use family or pet names, car registration numbers or the like as
passwords. Some recommendations for password construction include the idea of
making up a phrase, such as “My friend, Dorothy, was 35 last year!” which is in itself easier to remember than an
apparently random character string. Taking the initial letters from this
sentence gives a password of Mf,D,w35ly! which Password Meter rates as 100% (Very
Strong) although I reckon that Ars Technica would have broken it.
No matter how secure we believe our passwords to be, they
will be broken by someone with sufficient incentive or opportunity. In the
workplace this will probably be the internal fraudster, but they won’t try and
guess a password, rather they will wait for their prey to leave their PC
unattended and unlocked, and/or will “shoulder surf” to acquire their victim’s
password. Similarly at home it may be that some unscrupulous visitor, friend or
even family member who has nefarious intentions will obtain a password in the
same way.
The ways in which our passwords become compromised are
normally due to negligence or forgetfulness, either ours or that of the owners
of the application or website we are using. The easiest ways to have your
access to whatever system, application or website compromised appear to me to
be either being the victim of a phishing attack, or a data protection breach
such as the theft by hackers of over six million LinkedIn user passwords in
June 2012. Keeping a list of your passwords on a Post It note stuck to your PC
monitor is another good way and apparently more people do this than you would
imagine!
Identity theft is now sadly a fact of life and if someone
wants to break your password badly enough they will probably do so; I guess the
trick is to make their life sufficiently difficult that they move on in search
of someone who hasn’t been quite as rigorous in protecting themselves.
Oh, and by the way, my password is...