Passwords are one of the many lines of defense against intruders. Your castle guards -- the login programs and the like -- believe that you are who you say you are because you have your password. Therefore, it is important to strengthen the passwords and safeguard them.
Here is a list of “don’ts” with passwords:
- Use simple passwords (please refer to the list of guidelines at the bottom of this article)
- Write passwords on pieces of paper and leave them on your desks
- Use the same password for all applications (and for personal use such as Internet banking)
If you do, I strongly recommend that you get your IT department/company to help you put the right policies in place and educate the users, as a matter of priority.
Even if you don't do (a), (b) and (c), there are clever ways for hackers to get your passwords.
Here are some ways in which hackers can get hold of your passwords:
| Method | What they do |
|---|
| Keystroke loggers | These programs track the keys you type when you are at specific websites and then pass the information on to the criminals who installed it on your machine. |
| Brute Force | These programs attempt to crack the password using every combination of numeric, alphabetic and special characters available no matter how long it takes. Usually this is done 'offline' or on an online system where no account policies have been set, e.g. lock account after 3 bad attempts. |
| Dictionary Attacks | Dictionary attacks try different variations of the alphabets. |
| Listening on the network | Malicious users listen in on the traffic on a network segment. This practice, known as "packet sniffing", means that if passwords are transmitted in clear text over the network, the miscreants can pick them right up. |
Here are some ways in which you can make password-theft more difficult.
How to stop the password thievesTwo factor authenticationUnder this system, you will carry a small gadget that has a screen, in your pocket. The gadget changes the numbers periodically (say every minute or so). When you want to login, you enter a four digit code that you already know (your password) and then the digits that appear on the gadget screen. Enter them so that the server authenticates you. Bill Gates predicts that this is the future of password security.
Bendigo Bank recently started using this method of authentication for online banking.
Scratchy cardsA commercial bank in Sweden introduced a different method of securing passwords. To log into their online banking, you need to enter your password and your Swedish National Number. For additional security, scratch the ('scratchy') card that has 50 codes. You need to use the codes, one by one, each time you log on or perform a transaction.
As you can imagine there are many more ways to protect your passwords.
We can add several layers of protection to secure our data and passwords. However it really depends on your budget and the needs. Even if you don't do much else (security-wise), at least use stronger passwords and make them expire regularly.
Having a 'strong' password will not guarantee avoiding 'password harvesting'. But at least it is a step in the right direction.
| Guidelines for creating “strong” Passwords |
|---|
Did you know that the most commonly used password for computer applications is "password"?
Passwords need to be 'stronger' than that in order to minimise break-ins. Here are some tips for creating the appropriate passwords:
- Don’t use dictionary words - All real words are easy to guess. Avoid using any words, words in foreign languages, swear words, slang, names, nicknames, etc.
- The names of family, friends and partners, anniversary dates, car registrations and telephone numbers are the first thing potential crackers will try when guessing your passwords.
- Try to pick acronyms, mnemonics, random letters, etc, or insert non-alphabetic characters in the middle of the word, replace letters with numbers (‘o’ to zero, I to 1, E to 3), etc.
- Use a mIxTuRe of UPPER and lower case.
- You must include a number (0-9) somewhere in the password. Try to fit this in somewhere inside whatever letters you choose, instead of at the end or beginning of the password.
- When changing passwords, change more than just the number: perhaps move its position within the password, add or subtract letters, change capitalisation, etc.
- However, choose something you can remember. It is no good having a password like “h498cj3t34” if you have it written on a Post-It Note stuck to your monitor! If you must have a reminder or hint, use something cryptic that only you can understand.
- Never tell anyone else your password or allow them to log in as you. Except I.T. staff, if necessary!!
- Avoid letting other people watch you key your password in. Choose something that is not easy to guess from watching, like “qwerty12345”.
- Don't re-use the old passwords.
- Have the system force you and the other users to change the passwords every 3 months.
- Have different passwords for different accounts/applications.
|
|