If I told you then I’d have to kill you

The Top 5 Worst Passwords Of 2011

1. password

2. 123456

3. 12345678

4. Qwerty

5. abc123

Let’s talk about passwords. We all use them yet how many of us are really prepared for the end of the world misery that may follow if our password is compromised?

What are the challenges to our password integrity?

  • Friends, colleagues, classmates
  • Cyber attack
  • Easy to guess passwords

Friends, colleagues, classmates

We all need to become responsible digital citizens with a clear understanding of the need to protect our own personal identity and password – and to respect those of others.

We see children and young people sharing  ‘secrets’ as a measure of friendship.

‘If you were really my friend you would tell me your password.’

It’s a sign of close or special friendship when youngsters share everything, whether it’s a bar of chocolate or the key to their online and digital identity.

A key task for us as parents and teachers is to impress on the young people in our care that a password is private and must never be shared with anyone. Clearly this will cause some points of friction for those parents and carers who take a stand on Facebook and tell their youngsters that;

‘You can have a Facebook account as long as I know your password.’

If our children are to become confident and responsible digital citizens then we need to instil in them the message that their online identity must be protected and managed with as much care as their physical identity.

As adults we seldom model effective digital security and, like children, will share log-on details with colleagues, partners and friends. This should be a cause for concern for all of us.

At work I always log out of my desktop computer when I leave the room despite having known and worked with my colleagues for years. What am I afraid of? That they will use my computer to do something inappropriate or illegal?

No.

I log off to protect them.

If my computer is logged on in my name at all times, then if a ‘bad thing’ is traced to that device the authorities and police will ask;

‘Who had access to this account?’

My bewildered colleagues will reluctantly have to admit that we all had equal access and will fall under equal suspicion.

The solution? Always log off when leaving a device unattended, to protect the reputation of yourself and your colleagues. Avoid sharing passwords where practical (Yes administrators will often share a common account and in this case you should consider recording the dates and times of each use of the account) and understand that ‘It’s OK, I trust you’ is unacceptable practice in the workplace.

Cyber Attack

There are many ways in which your password and personal details can be ‘hacked’. At a rudimentary level somebody may locally or remotely log your key strokes – and there is little defence to this other than ensure that virus protection and security software is functioning and up to date on all your devices.

Similarly hackers may attack the servers of the web based service you are using. We see with increasing frequency news stories of services like Twitter and LinkedIn being hacked and thousands of accounts are compromised.

(More on this here http://www.bbc.co.uk/news/technology-21304049 )

Ultimately we need to have faith in these companies to have security in place, including encrypting our personal details. This is a useful reminder not to use the same password for a range of web services.

We must be prepared.

We must be prepared for when our digital identity is compromised. In the same way that most of us understand that at some point in our lives we will be the victim of burglary. With this in mind we try to ensure we know what we will do when this bad thing happens. Simple precautions, and knowing where our insurance documents are, can help ensure damage to our lives is limited and not long lasting.

Take some time to research who you need to contact and the procedures you need to follow if any of your accounts are compromised or hijacked. Most of the social media sites have help pages and we must act quickly to help ensure possible damage to our online reputation is minimised.

Choosing a password.

As most of us will probably use the same email account to register for most of our social media accounts I would suggest that this password is in no way similar or the same as the passwords for your other services.

Set aside at least an hour to plan and design your password strategy. By doing this you will help ensure that you don’t choose a simple password when creating a new account for a new online service in the future.

Forget ‘password’ and think ‘passphrase’. Your passphrase needs to be a mix of special characters, letters and numbers – and not one that a friend, relative or colleague could guess easily.

Choose a passphrase someone else might choose, not one linked to you or your interests.

What?

Here’s an example:

When I was a young fella many of my friends liked a band called The Selector. Let’s choose a passphrase for one of my friends from 30 years ago.

One of their songs is:

On My Radio

Let’s run those words together:

Onmyradio

Now that’s starting to look like password. Let’s add a special character and replace a letter with a number

Onmyr4dio^

The passphrase looks complicated but to you it remains easy to remember.

You can now use this as the basis for passphrases for other sites. Think about a rule you will apply to make the passphrase unique for each service. For example you might decide to use the last letter of the service you’re signing in to, at the end of the passphrase. So if you wanted a passphrase for Twitter you would add ‘r’ to the end of the passphrase

Onmyr4dio^r

We can’t make a secure passphrase that will never be compromised, in the same way we can never be sure we won’t lose our wallet or our car won’t be stolen. What we can do however is reduce the chances of it happening and be prepared for how we will limit the damage to ensure our digital reputation and integrity remains intact.

Take care out there. Tis a jungle

Useful links

What to do when your Facebook account is hacked

What to do when you Twitter account is hacked

2 Responses to If I told you then I’d have to kill you

  1. Emmadw says:

    I too, have a similar approach to password creation; but, the drawback can be …
    1: Some site or other demands that you use &^%$ etc., – while another won’t let you use them.
    2: Sites get compromised – and make you change a password; so, given your example above, you’d have to have changed Onmyr4dio^r to say, Onmyr4dio^T … and then twitter will be hacked. Again …
    3: Sites change names … so, you started off creating a password for “readitlater” – now it’s called pocket …
    4: Then, you get the odd site (esp. those that only ask you to enter your password once on account creation) that promptly emails the password back to you ….

    So, you still have to remember the weird ones!

    (I also find it frustrating when you have a site you feel isn’t that important that gets its knickers in a knot when you don’t have uppercase, lower case, non-alpha character & at least 10 chars … and it’s just a blog you want to comment on & you’re using a throwaway email addy to do it with …)

    • PatParslow says:

      And worse, some which insist you /don’t/ use some types of special characters! Or limit your password to being between 6 and 8 (presumably inclusive ;-)) characters.

      I find it handy to have a little story which makes sense to you, and from which you can extract the sort of info which can make up a strong password. If I was coming up with a password for this site, using that type of technique the reasoning may go…

      “Simfin is a synthetic shark who makes people juggle in front of pelecons” – although some of the knowledge in there may be semi-public, it isn’t something many would guess.

      Longest word in that has 9 characters, and I might use a rule which says something like:
      Hold down shift and type number of characters in first 6 words, then use initials from last 4 words with last in caps:
      ^”!(%£ifoP

      It isn’t perfect, as the word-length rule will bias things towards $%^ but it is a rule which is quite easy to remember, passphrases are easier to remember when they are amusing (I am easily amused) and it avoids having a ‘dictionary word’ in your resulting password.

      My main problem is having to come up with new algorithms each time I describe the process to other people😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: