How to pick the perfect password

By Chris Foxx

Technology reporter
A folder labelled 'passwords'Image copyrightThinkstock
Hackers have managed to decode more than 11 million encrypted passwordsstolen from the Ashley Madison website, shining fresh light on the importance of password security.
On Tuesday, the UK government agency GCHQ published new password guidance designed to "improve security, while improving the usability of systems".
Its report challenged some common ideas about passwords and security. So how do you choose, and just as importantly remember, the perfect password?

A complex issue?

A folder labelled 'passwords'Image copyrightThinkstock
Image captionComplex passwords lead people to write them down
Many websites demand complex passwords with a mixture of upper and lower case letters, numbers and symbols.
The GCHQ report suggested complex passwords may actually be counterproductive, because people often write them down or reuse the same one on many websites.
"Talking about a good password suggests that choosing a long or complex password offers better protection. That is not necessarily the case," said Dr Steven Murdoch from the Department of Computer Science at University College London.
"Secure systems should not just rely on a single password, but have additional technical controls which the system owner can use to detect abnormal behaviour and protect the user's account."
Using symbols and punctuation is also a nuisance for people using mobile devices.
"Complex passwords are hard to type on touchscreens, since you have to toggle between keyboards," said Dr Angela Sasse, UCL's head of information security research.

Strength in length?

A password entry promptImage copyrightThinkstock
Image captionLong passwords are harder to crack - but can still be stolen
Some security experts have recommended the adoption of "passphrases", such as "Iown50%ofSClub7albums".
They are easier for people to remember and provide more protection from "brute force" attacks, where a computer tries countless combinations of passwords until the right one is found by chance.
"A longer password is preferable overall, but that has its own problems," Dr Sasse told the BBC.
"More than 50% of passwords are now entered on touchscreen devices, and longer passphrases create a significant burden on touchscreen users.
"Passwords are rarely cracked by brute force. They are mostly captured through phishing and malware, and with those attacks it does not matter how long or complex your password is."

Should I change my password often?

A man touching a screenImage copyrightThinkstock
Image captionForcing monthly changes led people to reuse passwords, according to GCHQ
Many companies force you to change your password frequently - some every 30 days - so that any leaked passwords would only be temporarily useful to attackers.
But the GCHQ report suggests this leads people to choose incremental passwords and reuse the same password on a number of sites.
It said enforcing regular changes "imposes burdens on the user" and "carries no real benefits as stolen passwords are generally exploited immediately".
"Regular password changing harms rather than improves security."

What about using a password manager?

Password Chef appImage copyrightPassword Chef
Image captionPassword Chef stores 'recipes' rather than passwords
Some people use a dedicated app or website to store all their passwords, so they can easily retrieve one if they forget it.
The downside? The app is password protected - so you end up with another password to remember.
An app hoping to tackle that problem is being developed in the US. Rather than storing your secret codes, Password Chef stores 'recipes' instead, which can remind you of your password.
The maker says it wants to help people generate more complex passwords that are also easy to remember.
However, no password manager is infallible.
"This app offers extra protection by storing memory cues about the password, rather than the password itself," said Dr Sasse.
"It can help to reconstruct passwords you rarely use, but research has shown that even when people remember something such as the name of their school, they can't reproduce the name exactly as they used it in their password.
"Plus if I manage to steal your phone, I could look up your recipes and find the information they reference, as it is probably on your Facebook page."

So what should I do?

A smartphoneImage copyrightGetty Images
Image captionMany websites offer two-factor authentication
Many websites now offer two-factor authentication. In addition to entering your password, you also enter a single-use code, typically sent to your mobile phone.
Facebook, Google and Twitter already offer the feature for free.
"This offers a substantial improvement in security, so if it is available you should definitely consider it. Many banks insist their customers use it," said Dr Murdoch.
The Ashley Madison leak shows you can never be certain that a website is entirely secure, so it makes sense not to reuse passwords across multiple sites.
The GCHQ report said people in the UK typically use the same password across four online accounts.
"Never reuse important passwords (like for online banking) on other websites," said Dr Sasse.
"Not all websites protect their passwords properly, or your password may be captured by malware. Use unique passwords with a password manager to keep track of them."

Comments

Post a Comment

Popular posts from this blog

VITZ “INSERT MAP CD” SOLUTION

Image
By   Moonis ( zaitron )   on   December 3, 2010 For those of you who have a JDM navigation system installed in their Toyota (vitz, belta, axio, etc) and get the following message on their navigation system “INSERT MAP CD”, i have the solution for you. All that the system needs is a boot CD that will bypass this message. After that you will be able to use most of the features of the system like controlling the treble/base, maintenance log, etc. Everything, apart from the actual GPS navigation will be activated (for that, you require a map file of Pakistan, which unfortunately isn’t available for any system apart from Garmin). Usually you can go to the market (audio stores) and pay Rs.500-2000 for them to unlock your system. Instructions: First thing you need to do is to know the model number of the system you have installed in your car, for eg, NDCN W55 etc. (Model number is usually written at the bottom right of the unit). After that, download the file from mega
Read more

Make ready your horses !

Image
Assalam o alaikum, I just wanted to share a thought that has come to my mind regarding war in which nuclear weapons could be used. I might be wrong in my perception but I just thought to share it and get valued opinions of the members. Quran says: "Tayyar rakho apni taqat aur apni quwwat aur zara-e-jang ke sath, takey HAIBAT tari ho jaey unke dilon per jo dushman hen Allah ke aur tumharey dushman" I have highlighted the word 'Haibat'. It means to strike terror into the hearts. Being a muslim it's our firm belief that every single word of Quran is full wisdom. Quran talks not about 'destruction' of the enemies. It does not say that we should be equiped with modern weaponary so that our enemy is 'Destroyed' by it. It says that we should be equiped so that we can strike terror into the hearts of our enemies. If we observe, this is exactly what has stopped India from attacking Pakistan on a number of occassions. E.g. After attac
Read more

Halal and Haram in Chocolates and Ice Creams

Image
HALAL & HARAM DIRECTORY O believers ! Eat of the good things that We have provided you with and give thanks to Allah. (2: 172) Though thorough research has gone into producing this guideline, it is by no means complete and only covers the common products as it is very difficult to obtain exactly the listing of halal and haram ingredients present in all products. Also, companies are constantly changing their product ingredients and Muslims should always be aware that what is originally certified halal might in the future be haram and vice versa. Due to aggressive campaigning by The Vegetarian Society, UK, most products now display their symbol ‘Suitable For Vegetarians’ which means that there is NO animal content in that particular product, making it halal. However, a product can still contain alcohol, making it haram . Please check. Points to note: · Medicine containing alcohol is not permissible unless on authority of a doctor with no alternative med
Read more