20 November 2007

How Safe Are Your Passwords?

What better present could Her Majesty the Queen want from her Government on her diamond wedding anniversary than the effective guarantee that they will not be able to introduce their ill-conceived ID card scheme?!

Rather ironically, as the news was breaking today about HM Revenue and Customs' loss of the names, addresses, dates of birth, and bank account details of every family in the country in receipt of child benefit, I was reporting back at work on a computer security review I recently conducted across our international organisation, and reminding colleagues of the need for every computer and all electronic communication to be protected by basic precautionary measures such as boot passwords, regularly updated anti-virus and anti-spyware software, firewall, and encryption.

Of course, even with encryption, the passphrase is typically the weakest link in the information security of most individuals and most organisations. Top passwords include "password", "passwd" and "pass" and, among Christians, "godblessyou" and "Jesus". Then there are simple keyboard combinations such as "123456", "asd123", and "qwerty". And, of course, people's names, dates of birth, postcodes, favourite hobbies, and favourite sports teams. All of which, since we've most of us got wise to the need for including digits as well as a mix of upper and lower case letters, are frequently followed by a number, more often than not a single digit, and usually "1" — making "password1" one of the more commonest passphrases. And simply choosing a word (in any language, even if it is slang or other jargon) won't delay any hacker with a basic dictionary search programme.

The other problem with most people's passwords is that they use the same one (or two) for their online banking, their email accounts, the various sites they login into online, and their computer (if this has any at all, it may only be a Windows login password, which offers very weak protection, rather than a boot password and screensaver password). So, once a hacker or fraudster obtains one password, they are well on their way to stealing their victim's identity.

So, if you find your password described above, now might be a good time to protect your identity and personal information a little more securely. Try to include non-alphanumeric characters and make each phrase at least eight characters in length. And perhaps choose a phrase rather than a word and use the initial letter of each word in the phrase as your password, with a couple of easily remembered substitutions, e.g. "Tk2mc1nmDOB!" (The key to my computer is not my date of birth!)

In any event, any parent will, of course, definitely want to change their online banking passwords and "memorable information" if it includes any of the details possessed by HMRC. I hope the above advice helps somebody sleep more peacefully tonight.


The Stonemason said...

what makes me sleep more peacefully is the idea that ID cards have been dealt a real blow.

Freelander said...

ID card U-turn

Well, it looks like the Government have admitted at last that they have failings. I am glad I no longer qualify for Child Benefit. What a worry for those who do.

They all need our prayers because the Government do not help them.