Tuesday, 14 December 2010

Internet security

Nowdays many websites require users to login to access their content. Users tend to be aware of security when it comes to banks, but they think less about their security when it comes to the thousands of other websites they can access - from blogs to the Times.

Recently Gawker Media had their user database hacked, and details of the 1.3 million accounts are now available on many servers. They run many on-line services, including Gizmodo, a tech gadgets website.

The passwords are all encrypted, but that does not mean that they are safe from what is called brute-force attacks. I, of course, never use (say) DavidCotton or 17021971 (my name and my date of birth [*]) as my passwords. But I may be tempted to use dictionary words instead, especially when they are easy to remember.

Programmer John Graham-Cumming has downloaded the hacked list and found seventeen people he knew on the list. After informing them first, he quickly guessed the passwords of three of them.

Some of the accounts have been compromised. Over 3,000 people had a password of '123456', and an amazing 1900 people used 'password' as a password. Details can be found on his blog.

Please, please, please use better passwords than this. Use this opportunity to think of all the Internet sites that you regularly use and change the passwords to something more secure. Do not use the same password for more than one site, as that means that if one site is compromised, so are all your accounts that use the same password.

If you have trouble remembering them all, then use a password manager like the excellent KeePass.

If you want to create a memorable password that is relatively secure, then try the following method:
1) Choose a memorable word of six characters as a seed, e.g. 'father'
2) Choose a memorable number, e.g. the year of your mother's birth. Say 1944.
3) Split the number into two, and insert after the second and fourth characters: 'fa19th44er'
4) Make two of the letters uppercase 'Fa19th44Er'
5) Add some punctuation:  'F*a19th44E&r'

This may seem complex, but it is remarkably easy to remember several passwords using this sort of system. Feel free to change it; for instance where you insert the numbers within the seed word. To make it easier, you can make the word something related to the website. For instance, on Blogger you could use 'Dashboard' as the seed word, which is at the top of the page whenever I go to blogger.com.

This may not work for you. But please use secure passwords. If you do not, then you are making the hackers' jobs easy.

[*] Naturally enough, that is not my real birthdate. Also do not tell anyone your technique for generating the passwords; the one detailed above is quite different from the one that I use.

No comments: