Christmas is coming and people are full of good cheer. Well, at least the people I associate with are full of fun and frivolity but unfortunately there is a darker side to human nature. No matter what time of year it is, security is important. Regular readers of this column would have heard me mention various security aspects before but today I want to focus on passwords.
Just writing the word conjures up terrible images in the minds of most people. There are too many passwords. There are too many rules around what is acceptable in a password. When did I create that password? Why did I create that password? Where did I write them all down? Secure passwords can be the difference between a happy online experience and a disaster.
I am not sure that people are heeding the message though. Analysis of all passwords used in cloud applications across the world during 2017 reveals some scary information. “123456” is the most common password followed by “password” then “12345678” and “qwerty” and “12345”. As you go down the Top 100 list, there are some quite amusing – but still not secure – examples. “starwars” makes it on the list at sixteen – possibly showing the link between techies and Star Wars. At nineteen is an example of people trying to be clever – “passw0rd” with a zero instead of the letter o inserted. Good try. I found it amusing that “matthew” made it at thirty-two but “robert” was the top name at thirty-one. My favourite though was at seventy-two with “aaaaaa” presumably allowing it to be at the top of the list!
There are three main ways your password (secure or otherwise) might be compromised. First, someone may target you specifically. Some people may not see this as a big risk – and unless their name is Donald Trump, they are probably correct. Sure, someone might find it interesting to have a snoop in your personal life but targeting a password is usually designed to deliver some type of financial gain to the attacker. The strength of your password in this scenario still needs to be considered but having passwords of ridiculous length and complexity is probably not required. Someone might use some of the personal details they know about you – date of birth; street you live in; mother’s maiden name – to try and break into your accounts.
Secondly, you might be the victim of a brute force attack. It might be your account or a group of user accounts. These attacks systematically check all possible passphrases and combinations until one is correct. The sheer power of modern computing lends itself to attacks of this nature. A site that allows you to check the security of your password if you suffer from a brute force attacks reveals interesting information. The time it takes to break the word “passw0rd” is rated at “Instantly”. Try mixing it up a little and you see surprising results. Try a combination that may not be as obvious to a brute force attack, such as “dubbo2830” and it increases to forty-two minutes. Stay with this same theme with a few variations and see what it does. “Dubbo2830” increases that to four days and, if you add in a special character, “D^bbo2830” the time taken would be four weeks. Throw in one extra special character and “D^bbo2830!” jumps up to six years. You start to see the impact some minor changes have.
Lastly you can have your password exposed by a data breach. Every other month I see an example of a large company having been compromised and all passwords for all of their users exposed. This one isn’t your fault and the only security you have against this occurring is to change your passwords regularly – but then that presents an entire range of other issues around remembering your passwords.
My advice is relatively simple. Try and have a common password that is strong and have a few variations of that password that you can use. Change them regularly and be vigilant. Oh, and by the way, enjoy Christmas while you are doing all of that!
Merry Christmas to all of my readers and I hope Santa brings you lots of tech toys.
Mathew Dickerson