Newsletter #157 Why Security Matters Online
As the Internet pervades more and more of our daily lives we tend to forget the importance of something central to our use of it. Security.
Normally we access our Net-based activities via a user name and password that authenticate us. In many cases we have long forgotten what this combination is; it's saved on our browser or on the site and we are 'auto-magically' logged in. There are inherent dangers in this process and the way most people use the same details in multiple situations. When 1.5 million sets of user details were stolen from Gawker Media Group recently, spammers and hackers immediately used those credentials on other Websites.
Password strength is a major determinant in how easy it is for details to be hacked. The strength of a password is related to the average number of guesses an attacker needs to crack it.
There are a number of ways of breaching security that are unrelated to password strength but having a strong password will make it far harder for someone to take over your account. Firstly, the sort of password you don't want to have is one of these:
- A default password that is supposed to be changed (admin, password, guest)
- Dictionary words (apple, sillyfish, bunnyhop!), including those in non-English dictionaries and doubled words (passpass, treetree)
- Words with numbers added (john1234, password1, dog2001)
- Words with simple changes or replacements (p@ssw0rd, @adm1n) can easily be tested for with little extra effort
- Common keyboard sequences (fred, qwerty, 12345)
- Well known numbers (091101, 911, 111)
- Anything that is personal to you (jsmith123, birth date, phone number, user name)
There will be a move to more widespread use of other authentication methods in the future. Methods that are unrelated to your browser session, that use graphical selections (better for mobile devices) and more. For example Twitter has just introduced an optional two step authentication process. This is in response to an Associated Press account being hacked recently, leading to tweets about explosions at the White House which temporarily wiped $136 billion from the S&P's top 500 index.
In the meantime there are two steps you can take to protect yourself better:
- Have a randomised password for important logins and keep track of them in a Password Manager like LastPass https://lastpass.com, PassPack https://www.passpack.com or other apps out there. You can randomise your password in many applications or on sites like The Bit Mill http://www.thebitmill.com/tools/password.html. The longer the better and the more character sets used the better (numbers, punctuation, uppercase letters).
For sites where you can't auto-save the password use something as random as possible using special characters, numbers & different letter cases by using a word that is not directly related but memorable for you. For example: @N3wy0rK20) - I hope to visit New York by 2020 :-)
- Secure your device! Apparently more than half of mobile devices are not locked down in any way, so if your mobile is 'open' you've granted access to anything you auto login into if it is stolen or lost. Similarly any desktop machine should go to password on screensaver.
How bad would it be if someone hacked your Facebook or email account? You think your email account is not that important? Well where do most sites send lost password requests?.... I've just randomised my Facebook password :-)