Business Issues Security & Risk
Business Issues Channels Enterprise Services SME Technology
Module Header
Louella FernandesLouella Fernandes
Louella Fernandes
22nd April - Internet of Things: A New Era for Smart Printing?
Simon HollowayThe Holloway Angle
Simon Holloway
18th April - Virgin Media expose private email addresses
Craig WentworthMWD Advisors
Craig Wentworth
17th April - Box's enterprise customers step forward to be counted
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...


Avoiding common password perils
Rob Bamforth By: Rob Bamforth, Principal Analyst, Quocirca
Published: 17th December 2010
Copyright Quocirca © 2010
Logo for Quocirca

‘Tis the season to be jolly.....careful online. Not only is there a huge amount of digital commerce traffic in the run up to the Christmas holiday season, but there are various nefarious ‘cyber’ activities affecting major websites and the cracking of passwords on some social networking sites.

From phone hacking (phreaking) to social engineering, hacking and malware, there have always been those wishing to exploit network and individual vulnerabilities. Passwords, the first line of personal protection for any computer user, have been in use for several decades, but the internet opened up new risks, especially now that so many destinations require user registration. Not only do people do more online, they are signing up to a multitude of services from retail and social media to dealing with government bodies and utility providers, each service requiring a user name of some sort and a password.

Managing this is becoming a nightmare and as news stories such as the recent breach in social networking service Gawker revealed, too many people have too simplistic a view of passwords. So the slowdown and holiday season presents an ideal opportunity for reviewing and changing a few.

So what can a user do to make a password more secure? Well, there are many widely recommended good practices:

  • Make sure the password is sufficiently long—8 characters is a good minimum
  • Use a mix of upper and lower case letter, numbers and other symbols.
  • Have different passwords for different websites or services
  • Change passwords regularly, (or better still, at random times)
  • Avoid names, date of births or other memorable numbers like car registrations, national insurance etc
  • Make substitutions eg ‘3’ for ‘e’ or ‘$’ for ‘s’
  • Add related suffixes or prefixes—eg ‘shop’ to the front of an e-commerce password

Of course this is not infallible; passwords can still be cracked with brute force algorithms or can be intercepted if transmitted in ‘clear text’ and are vulnerable to the visible eavesdropping of ‘shoulder surfers’. It should also be remembered that a ‘Colt 45 beats four aces’ and real security requires more than just a clever password or two.

There is also the problem of user forgetfulness, and laziness. Many systems that force regular password changes find that the users either shuttle between two favourites or simply increment a counter at the end of the password. Passwords that are too difficult to remember might need continual resetting and this process is vulnerable to interception.

Writing passwords down used to be frowned upon, and certainly the case of a user at a major telecoms company writing a password on a sticky note then attaching it to the side of his PC did not go un-noticed. However, if the written passwords are physically protected and kept safely out of sight, this may not be as bad an idea as first thought. It certainly is better than storing them all in a word processing document, and is probably at least on a par with other forms of electronic password key safes since it is at least a separate mode of storage to digital.

If memorable without crack-able is the goal, then a decent starting point is a one-liner with substitution. For example, take a memorable film, book or music title or quote (“Do they know it’s Christmas time at all”), use only the first character in each word (“DtkiCtaa”), add a prefix for use on a mobile carrier’s website (tel:DtkiCtaa), then substitute in your preferred way (“t3£:Dtk1Ctaa”). It might look a bit long, but after typing a few times it will sink it and it might be rather difficult for someone to snoop and remember over your shoulder on a train.

Stick with the same idea, but with different prefixes and perhaps one-liners along the way and that should be more secure and less forgettable. Merry Christmas and a Happy and secure New Year.


Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761