Given the recent spate of password thefts (eg on LinkedIn, Sony, RSA and eHarmony) which are increasing at a rate of circa 300% per annum we thought it might be apt to give some quick advice on the use of passwords to our cyberspace audience, whether in business or not. Why now? Because an estimated 80% of internet users use the same password for multiple sites and thus if say six million passwords are stolen as was roughly the case with LinkedIn it is conceivable that at least 120 million password protected accounts were affected.
If you want to learn more there are many good articles available on the web or alternatively you can always contact us. A good starting point is Dan Goodin’s very erudite article in Ars Technica about passwords. If you read this article you may never choose a password the same way again! Also, Verizon’s latest annual Data Breach Investigations Report (April 2012) contains many interesting and relevant facts but takes time to find those related to password abuse.
The problem with stolen or compromised passwords is not just limited to the owner of the password though. For those of you with web-sites to maintain not only can your employees cause considerable damage if their passwords are compromised but so too can your customers. If they need educating in this regard we can help.
You will no doubt be aware that most mobile phones have preset passwords and that the recent scandals in the UK about hacking into mobiles were apparently sometimes exploited using these, as Piers Morgan, better known in Companies House as Piers Stefan Pughe-Morgan, allegedly acknowledged.
It is of note that since this article was originally published tales of the expected have occurred and High Court writs have been issued in respect of alleged phone-hacking at the Daily Mirror when Piers Morgan was the editor. Piers Morgan has denied any personal involvement in any wrongdoing. So did Rebekah Brooks of the News of The World prior to being charged for various alleged crimes including four counts of conspiring to intercept communications unlawfully one of which related to the murdered schoolgirl Milly Dowler.
What may surprise many of you though is that mobile phones are not the only equipment used in cyberspace with preset passwords (and user names) and criminals know this; they search for those using systems or devices that are protected by standardised “presets” which of course are therefore widely known and use them to break into the owners’ websites. If you or your business use any systems or devices with “presets” or you aren’t sure if you do and need help closing the doors so to speak then do not hesitate to contact us.
As for creating your own passwords we have some boring but important advice for you. First of all, keep your passwords and usernames safely stored behind a secure password (please see later). There are secure storage programs available (eg Password Safe or Last Pass) which incidentally are often only as good as the password that you choose to secure them with or how you protect that password.
When setting your passwords preferably use a random password generator (there are many free on the web such as this one which will generate 50 passwords of up to 64 characters in length for free). A rule of thumb is to make sure that each password contains at least 13 digits/letters with one or more of those being a symbol such as a comma and letters being a mix of upper and lower case. All your passwords should be different from each other and changed once every six months or more frequently if particularly sensitive.
If you are still reading this article we’ve saved the worst news until last. After trawling the web for reliable data we estimate that our average reader will have anywhere between a minimum of 25 but more likely over 100 accounts that require the use of passwords. So if you are going to treat your password security seriously you had better set aside some serious time to start sorting it out. If required we can help in this regard because if you don’t, as Dan Goodin explains, it is almost inevitable one day that you will regret not having done so.
We have kept this article simple and have not even broached the topic of encryption and passwords. If you need more sophisticated assistance please do not hesitate to contact us.
This article was first published on 30th August 2012.