-
Passwords
I guess I’ve been on the Internet for about 10 years and been a web developer almost as long, in that time I’ve seen the landscape of the Internet change quite considerably. Static HTML “brochure” sites have been replaced by CMS driven e-commerce sites, dodgy chat rooms have been replaced by knowledge forums, profiles and the dreaded blog.
But one thing that has changed very little (not just in that decade, but many before it), is passwords. Passwords are very important, they are by far the most common security model, so why are we so bad at them? Often people just type the first thing that comes into their heads.
Ok, so there’s an awful lot of systems that request a password these days and we can’t remember a different one for each can we? Well that was the opinion of a friend of mine, who ran into trouble when his girlfriend dumped him and then made extensive use of his “Book of Internet Passwords” - ouch.
The alternative (and very common practice) is to stick to two or three main passwords. Here’s a fun thing to try at home kids, set up a really fun site that requires a password, then randomly change it after a week. When your users next login they will try all of their common passwords one after another. Just record that information and together with their e-mail address you can now hack their entire life, starting with their e-mail account where password reminders for other sites will be sent. Just remember to buy something nice for them as a thank you from eBay ok? (on their account of course).
And what passwords do people choose? Well there’s the classics: “god”, “jesus”, “password”, “letmein”, “opensessame”, “trustno1″, “qwerty” - to name just a few. Next, how about some football teams? “Arsenal”, “Chelsea”, “Westham”, “Liverpool”. While we’re at it, let’s have a few pet names like “Buster”, “Tigger” and “Smokey”, then maybe a few of the most popular children’s names like “James”, “Louise”, “Thomas” and “Tracy”. And for our grand finale, a few things that you might find on your desk, “calendar”, “speakers”, “coffeecup” and “mousemat”. Well that should get you into about 90% of computer systems. For the remaining 10%, try running a dictionary against it, remembering to make a second pass where you change all the letters into numbers (harder to type but no more secure). Oh and in particular, make sure your dictionary contains as many geeky references as possible, it should include every planet the NCC1701D has ever visited.
Hopefully you’re reading this and feeling pretty smug, happy in the knowledge that you are in the tiniest of percentages of people with a strong password that is not covered above. But what about everybody else? Chances are if they do have a strong password they can’t remember it and have probably written it down next to their computer in a book of passwords.
“The weakest link in any security system is always the user.”
Maybe biometrics are the solution, but I think it will be a while yet before fingerprint scanners are fitted as standard to every keyboard. What can we do in the meantime? Well my advice would be to use two or more words per password, words that would otherwise not be seen dead with each other and maybe your year of birth for good measure, “cloudyfootball1971″ for example. You should have at least three different passwords based on the level of security. For example, do not use the same password for online banking as some random joke site. Have one for financial stuff, one for email, and one for anything that you really don’t care about.
Ideally, you should change your passwords frequently (especially if you fall out with your partner), but more importantly you should check your computer for viruses which might be logging your every keystroke.
Another area of vulnerability is “Password Hints”. For example, “Name of pet” or “Mothers Maiden Name”. The answers to these questions are often available on the Internet should anyone conduct a quick search or maybe have a look at your profile. People who know you won’t even need to go to that trouble.
Password security systems can be safe, but only if you choose a good password, do you really want to find out what happens if your password isn’t good enough?
I’ll spare the name of the company concerned, but way back in time when I had the privilege of doing some desktop support, we regularly had to work on the PCs of senior (male) managers.
Inevitably, their PCs were left logged out and without any details to work from. We quickly worked out that the quickest and safest bet was always to try the name of their secretary as the password.
In about two thirds of cases, that’s exactly what their password turned out to be.
Did their wives know?