Main content

Cyber security for journalists: How to devise the perfect password

Alan Pearce

is a journalist and author specialising in cyber security

I’ve written here before about why journalists need to protect themselves online, and the key to cyber security is a secure password that cannot be guessed at or cracked.

A strong password should be at least 12 characters long and contain a mix of upper and lower case, numerals and symbols. Never use any word that you can find in a dictionary - nor names of pets or children. And don’t use key dates.

More ‘don’ts’. On no account write down your passwords, and do not store them in a dedicated password safe (database), as the very existence of such a thing can draw attention. Therefore it must be something you can remember easily.

As unlikely as this may seem, an ideal password would look something like this:

£iiatuata9smipoagfMbiwoaW(@_@)

On the face of it this would appear impossible to remember. However, this password is derived from the rather memorable opening passage of the Jane Austen classic Pride and Prejudice (serialised by the BBC, above), which begins like this:

“It is a truth universally acknowledged that a single man in possession of a good fortune must be in want of a wife.”

What I’ve done here is take the initial letter from each word in the first paragraph, which then looks like this:

iiatuatasmipoagfmbiwoaw

Most people could easily remember this line. It could just as easily be a line from a pop song or a favourite poem, or a simple phrase that you can commit to memory. But avoid anything well-known like ‘Mary had a little lamb’ or ‘all work and no play’.

You now need to add to this some upper case, numerals and symbols. In the example above I have added a ‘£’ for its rarity value at the very beginning, and then at the ninth position I’ve added the number 9. The words Manand ‘Woman’ have been given upper case characters. Then I’ve added an emoticon at the end. All of this is fairly easy to remember.

Hackers working to crack a password often employ a ‘brute-force attack’ or ‘exhaustive key search’, but these are generally only effective against short passwords. For longer passwords, a ‘dictionary attack’ is often employed.

The method shown here is highly effective against the most sophisticated attacks and it can also be used as a means of passing on a password. Once the recipient understands the principle, you just mention any book that can be found on Amazon. They look inside and read the relevant line to receive the password.

Not using the same password for everything is common advice. However, one option is to create a basic password and then add an identifier. But only use these where major security is not an issue. Also, these need not be so long. For example, £iiatuata9sm(@_@)Rain might work for an Amazon account, adding the word ‘Rain’ because the actual Amazon is a tropical rainforest and you can remember that.

When it comes to higher levels of security - for your email or PayPal account, for instance - you need to devise unique passwords for each. Therefore, your email account password might be based on a line from the song Please Read the Letterwhile your bank password could be derived from Bonfire of the Vanities by Tom Wolfe.

Remember to change your passwords regularly and ensure that your browser does not automatically remember passwords. Look in settings and untick ‘Remember passwords for sites’. And when it comes to filling in many online forms, it rarely matters if the answers are truthful, so there is little reason to give away valuable information that might be used elsewhere.

Aside from tax returns and passport applications, be highly cautious of using your actual date of birth (DOB). This is one of the first things an investigator looks for when tracking an individual. Equally, never give away your mother’s maiden name.

Similarly, when signing up for social media and other accounts, always minimise how much real information you hand over. Use a completely different DOB that you can remember and that does not tie to yourself or anyone you know. It really doesn’t matter if you use this repeatedly.

Equally, it does not matter what you answer to most of these questions just so long as you can remember the answer. So, when it comes to the name of your first pet or favourite food, you can always use the same word each time so long as you never divulge it to anyone.

In short, whatever the security question, stick to the same simple word for each answer. So, in answer to the ‘favourite food’ and ‘name of your first pet’ questions, just type something largely meaningless like ‘succubus’ each time.

It’s unlikely that anyone would ever guess this word and a hacker might waste a lot of time trying to find the real answers to the questions.

Alan Pearce is a newspaper journalist, broadcaster, former BBC foreign correspondent and the author of Deep Web for Journalists: Comms, Counter-Surveillance, Search.

 

Cyber security for journalists: The internet is a hostile environment too

Online security: Protecting private data

Investigative journalism blogs by web research specialist Paul Myers

Our investigative journalism section

Searching for people online: Advanced techniques

Searching for company data: Advanced techniques

Information security for journalists