Friday 2 May 2014

Mmegi - Your password can’t be trusted

The passwords you use on your computer can’t be trusted.

They can’t be trusted because you can’t be trusted. You and I simply can’t be trusted to pick passwords that are reliable enough. Almost all of us, myself included, choose passwords that are meaningful to us. Some of us choose the names of our children, our partners or our dogs. Others choose their home towns, their holiday destinations or their favourite foods.

The trouble is that these can probably be discovered quite easily from your Facebook or LinkedIn accounts. Even worse is that if you’ve used any word as your password a determined hacker can break it in moments using what they call a “dictionary attack”. Their computer simply sends every word in a dictionary to the web site or service you use and sooner or later it’ll guess the right one.

On solution is to use more complicated or “stronger” passwords. I used to think that it was enough to take a simple word that was familiar to me, say “mmegi” (which could easily be found in a dictionary) and then just change one letter to make it into a word that couldn’t be found like “mmogi”. But I suspect that’s not good enough any more. Password crackers are becoming more and more resourceful and we need to take much better measures to protect ourselves.

Many web sites will now tell you how strong the password you’re choosing is. The simplest way to select a strong password is just to make your password a lot longer than usual. Think about it. Every additional character you add can make it up to 75 times more difficult for a password cracker to guess if you include both lower and upper case characters, numeric digits and special characters. For instance if you choose a 5-digit password (like “mmegi”) there are just over 2 billion possible passwords you could choose from. If instead you decide to use a password that has 10 characters (like “MmegiToday”) you’re making it 5.6 quintillion times more difficult for someone to guess. Make it 15 digits (like “MmegiFriday28-4”) and I don’t even know how to write how much more complicated it is (it’s 13 followed by 27 zeroes).

Of course this is all useless if you do something stupid (and trust me, I’ve seen this) like writing your password down on a sticky label and attaching it to the side of your computer’s screen. That’s asking for trouble.
Image c/o Wikipedia

But even if we do all of this and select the strongest passwords possible we’re still at risk. You may have heard recently of “Heartbleed”, a flaw that was found in OpenSSL, one of the encryption tools used on servers all over the web. The popularity of OpenSSL meant that this flaw was so widespread throughout the internet that companies as big as Facebook, Yahoo, Google and Wikipedia were shown to be vulnerable. Of course they all worked very hard and very quickly to patch the problem but for a few days we were all being advised to consider changing our passwords. The irony was that if a web site you used was exposed, changing your password could have been the worst possible thing to do. Any hacker who had already breached that site’s security by exploiting Heartbleed would then have seen your new password as easily as he saw your old one. It was only when the breach had been filled that you should change your password.

The good news is that the Heartbleed flaw has been fixed by most organisations and you’re probably safe. The bad news is that there are many more security flaws out there, plenty of them, we just don’t know about them yet. Every couple of months there’ll be another flaw that’s discovered and we’ll panic and over-react again every time. There’s nothing you and I can do about it, our job as consumers is to do our best to protect ourselves by choosing strong passwords and by keeping them entirely safe from prying eyes.

You’ll also have seen that Microsoft has finally withdrawn support for older computers running Windows XP. Frustrating as it is, we have to move on. Windows XP has been around for 12 years which is a lifetime in the IT world and it’s become increasingly expensive for Microsoft to keep XP up-to-date. Your choices are simple. Continue using XP and expose yourself to increasing levels of risk, disconnect your old PC completely form the internet, upgrade to a more recent version of Windows that is supported (if your computer can run it), upgrade to a newer computer or migrate to a completely different operating system such as one of the many free versions of Unix.

One alternative that you might consider is not even knowing your own passwords and relying instead on technology to do it for you. There are several password manager applications you can download, some laptops even come with them installed. These apps decide your passwords for you, choosing extremely strong passwords, remember them for you and enter them when you need to sign on. The one I use even stores all these passwords, in an encrypted format online so that my laptop, phone and iPad all have access to these passwords. It really does make life a lot simpler and more secure.

Online security is a bit like the traditional security you might consider for your home or office. Having a combination of fences, dogs, infra-red beams, barred windows and internal motion sensors will offer you a level of comfort at home, but nobody would ever say it’s foolproof, you’re just giving yourself the best chance of safety. Think of online security in the same way. The more things you do to protect yourself the better. Never use the same password for different services, use strong passwords, consider using a password manager and keep your system as up-to-date as possible.

So far most of us have been lucky and haven’t had our passwords cracked. But it will happen to you soon if you don’t protect yourself.

No comments: