, ,

We’ve recently just gone through a situation where the security of one of our websites had been somewhat comprised. And while we will never be 100% certain as to how the site was accessed by this annoyance it did make us look closely at ways we could make the most of the security measures that we use on the web.

The most blindingly obvious was the integrity of our passwords because as a general rule we do what most people do and use one of three very simple passwords for all of our online logins.  Why?? We all know this is bad thing to do but we do it anyway! My justification is that I have so many accounts online that it would be impossible to remember a separate password for every one of these.

And as we all saw last week the compromising of LinkedIn saw many email address/password logins taken by hackers (one being ours). The point being that when this login combo is the same as what you use on Facebook, Pinterest, Twitter or any of your other online accounts, you can see how far reaching your vulnerability lies. They have access to one then they have access to all.  And apparently it’s not hard for a hacker to make a computer programme that will try known username and password combo’s against various well known sites.

So what makes a secure password?

Most people (myself included) are guilty of choosing a password that is very easy to remember, likely based upon a combination of names, dates or a simple letter/number sequences. And as mentioned above we tend to use the same password over again, usually in combination with our main email address.

Simple password: katrina1234

Easy to remember but easy for a computer to figure out.

Last year the top five most used passwords were:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123

Source: http://mashable.com/2011/11/17/worst-internet-passwords/

Though we have been told for many years that the best password is one that uses a random assortment of small letters, capital letters, numbers and symbols. And the reason we don’t always do this is that they’re absolutely impossible to remember. One trick we’ve all seen to make this a little easier is to take a normal password like katrina123# and replace some of the characters to ‘make it harder’ like K4tr!Na123#.

Medium password: K4tr!Na123#

Hard to remember and moderate for a computer to figure out.

One suggestion that we came across while researching the best type of password to have is a ‘pass-phrase’. A pass-phrase is a password that uses 4 or more words, with or without spaces in between. It’s to do with the amount of ‘entropy’ your password generates, the more entropy, the more complex it is to crack. In technical terms, within information theory, entropy is a measure of the uncertainty associated with a random variable. So the more ‘characters’ your pass-phrase, the more entropy it has. For those of you with a desire to understand more about entropy, try looking here and here.

Now I don’t pretend for a minute to understand the science behind it but just believe when I say that a password using say 4 separate and unrelated words is a lot harder for a computer to crack than one word made up of a mixture of caps, small letters, numbers and symbols. AND the bonus – it is easier for a human to remember #winwin.

Strong password: super chickens hover lightly

Silly enough to remember and very hard for a computer to figure out.

Password Strength cartoon from xkcd.com no.936

So my suggestion is to set about changing your passwords to a pass-phrase where possible.  Make it a string of words that are silly enough for you to remember.  If you need to note them down, just note down the first letter of each word in the phrase or use an online password manager to help keep track of your passwords.

Please note, not all sites will let you use pass-phrases, they will force you still to use the ‘random’ passwords often with limits on the number characters used. Just remember to change your passwords from time to time and make them as safe as you dare!

Also, no passwords in this article actually belong to me or any other living person I know.

More information: How to protect your company’s password (Mashable), Passphrase (Wikipedia), The Great Debates: Pass Phrases vs. Passwords. Pt 1 of 3 (Technet)