« Previous | Main | Next »

Why a "password" won't do it

Post categories:

Rhodri Marsden Rhodri Marsden | 14:19 UK time, Thursday, 9 December 2010

Internet security is big business. Collectively, we spend huge amounts of money on software that protects us from potential intruders.  Firewalls and virus scanners take on the role of nightclub bouncers, deciding who can come in, who should be chucked out, and who shouldn't stand on the stairs because they're becoming a fire hazard.

But a more fundamental level of security whose importance we often disregard is the humble password. This string of letters and numbers is, after all, often the only barrier that exists between an evil CyberLord and your email, your Facebook page, the files on your computer - even your money.

It's a bit of a wild west out there, and there are many ways that you can have your password prised out of you. Perhaps a virus on your computer that logs the keys you press and sends that information back to some criminal mastermind, or what are known as "social engineering" techniques, which often take the form of a spam email urgently requesting you to click through to a website and "verify" your password - but, of course, it's not authentic.

This can be a bit of a rigmarole for criminals, however, and guessing your password can be much easier - not least because we're horribly unimaginative. I once worked in an office where stringent security measures were taken; backups of all company data were made at the end of every day onto a special hard disk, which was then taken off-site and stored in a locked safe overnight. But all our email passwords were set to the same thing: "pass123". Staggering, no?

Don't take chances

A huge number of people choose passwords that are simply a word in the dictionary, or a name, or a place name. And it's quite possible that those people will carry on using them and say "Well, I've never been scammed." But that's a bit like wandering blindfolded around town and saying "Well, I haven't been hit by a car yet."

A number of us have wised up a little and are aware that a combination of letters and numbers is a good idea, but guessing a supposedly unique combination of those is easier than you might think. A few years ago a password-cracking study combined 1,000 common passwords - things like "letmein", or "123456", or that still inexplicably popular choice, "password" - with 100 frequently-used suffixes - things like 1 or 7, 4u or abc. And by doing so they managed to crack 24% of a random sample of people's passwords.

It's not enough to think that, simply because it contains letters and numbers, "blink182" is a good choice of password, because tens if not hundreds of thousands of other people will have had exactly the same idea. The most popular password in the world used to be "password", but today it's "password1". Not much of an advance, is it?

The other issue is that we tend to use the same password everywhere. Just consider the number of websites you visit where you log in using an email address and password. I'd bet that many people reading this use the same password to actually retrieve messages from that email address - so every time we sign up to a website, we're essentially surrendering the details of our email account. We do this automatically, without even thinking.

Make it memorable with music

So, how to choose a password that's offbeat and unorthodox, but doesn't need to be written down for us to remember it? The best method I've found is based on songs. We all have our favourite lines of lyrics, and the initial letters of those words, interspersed with a memorable number, is infinitely more secure than "holiday123". And we'll always remember it, because we love the tune.

But what about the problem of different passwords for each website? Well, there are password management services that can remember all your passwords for you, but to access them you need to come up with - yes - a password. And the most secure place to store passwords is always going to be your head.

So what I do is incorporate part of the name of the website into my passwords: perhaps stick the second letter of the name of the website at the beginning of the password. Or the third at the end. Or something else. It's up to you.

This might all sound preachy, and I wouldn't blame people for thinking it doesn't matter. But I've been defrauded in the past for not following these rules, and you wouldn't want to look as stupid as me, now, would you?

Rhodri Marsden is a writer and musician who regularly details his fascination and exasperation with modern technology and the internet for both The Independent and BBC 6Music.


  • No comments to display yet.

More from this blog...

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.