IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Rob Ratcliff was the Content and Community Manager of IFSEC Global.com. He is a self-confessed everyman in the world of security and fire, keen to learn from the global community of experts who have been a part of IFSEC for 40 years now.
We all know how difficult remembering your password is, but how secure is yours?
Advice from staysafeonline.org recommends that your password be “long and strong” — a bit like your favorite toilet paper brand — with a minimum of eight characters, a mix of upper and lower case characters, as well as numbers and symbols.
But we bet your password isn’t as secure as the one we found in an old episode of Star Trek: The Next Generation. The android character Data is high-jacking the ship, and locks the Captain out with his password. Have a look, and let us know if your password is anywhere near as secure? Might make you think again!
How Secure Is Your Password?We all know how difficult remembering your password is, but how secure is yours? Advice from staysafeonline.org recommends that your […]
Robert Ratcliff
IFSEC Insider | Security and Fire News and Resources
Subscribe
37 Comments
Oldest
NewestMost Voted
Inline Feedbacks
View all comments
JonathanL
November 22, 2013 8:40 am
For the things that I am really concerned about I decided a few years ago to maintain a complex set of passwords that contained mixed case, numbers, and symbols I keep this posted in clear view on my monitor in the form of a pass code card that i got from http://www.passwordcard.org/en you have to select a check box to get symbols as well. You can choose a length of password from the card and just have to remember the corresponding numbers and symbols to complete your password. I have multiple copies of this one on my desk and one in my… Read more »
safeNsane
November 22, 2013 10:42 am
Watching the video that entire string is displayed on the console, this is about like writing it down on a post it note and sticking it to your monitor. So much for that being a secure password. I always tell people that the most secure password is one that you’ll remember and is not related to you in any way. If you were in the military don’t use your rank in the password, if you own cats or have kids don’t use their names or birth dates in your password and do not write it down, ever.
Challenge is that the more complex the password, the more the chance that people have to write it down, especially if you need several passwords (as you shouldn’t use the one password for everything).
Yes that is always a challenge but that is one reason I ask people not to use something that is part of their every day life, it makes them think and makes it stand out. Do they always listen, no but they don’t typically complain about password lengths because they aren’t trying to figure out how to take their cat’s 4 letter name and stretch it out to 8 characters.
JonathanL
November 25, 2013 10:25 am
A better method to manage your passwords is with a password management tool. As little as I access as myself and not some administrative account I can get by using the passcode card I linked to below. If your account is tied into lots of stuff then it is better to implement some type of password manager software. Here is a link to some below. http://www.pcmag.com/article2/0,2817,2381432,00.asp
they can be incredibly helpful if you have a lot of different things to manage and need to centralize it.
Choosing the same password for each of our online accounts is like using the same key to lock your home, car and office , if a criminal gains access to one, all of them are compromised. So not a good choice of choosing a same password.
It can be a small sentence with a mixture of numerics and alphabets.
We should be very careful while entering our username and password. Some times people enter their username and password in the same area forgetting to press Tab or scroll to the password section. When not getting signed in they enter their details again carefully and successfully signed in but they failed to understand that if some else came to the same system , they could see their username and password both in the username section. So we need to be very careful while entering our username and password. No matter how strong our password is , this small mistake can… Read more »
As we’ve seen recently using different passwords don’t do much good if the accounts are associated with each other. We’ve seen a few security issues where Facebook accounts or email accounts were compromised at the same time. The key is being aware and being ready to change your accounts when necessary.
SunitaT
November 27, 2013 2:32 am
@ safeNsane, I agree that the worst thing we can do to remember passwords is writing it down on a paper. This is essentially the first lesson we get when we start learning security. Things related to us like you mentioned a few of them are easily guessable. We must desist from using such things in passwords otherwise we leave ourselves vulnerable regardless of the length of the password.
SunitaT
November 27, 2013 2:32 am
Security, in my opinion, means unpredictability as well. The more unpredictable you are, the more secure you will be. Anything that doesn’t concern you in any possible way can be a very strong, almost unbreakable, password even if it is not that long or doesn’t contain a mix of lower and upper case letters.
Robert Grossman
November 29, 2013 1:11 pm
But, back to the subject of this post, how secure was Data’s password? Not very. It did not use any uppercase/lowercase character modifications, or special characters (&%$#@). It was relayed to the computer verbally, allowing someone with good hearing and a pad and pen to grab it, and was easy to crack with brute force (by guessing letters and numbers). And it was echoed on a screen — what, no asterisks as place holders? Clearly not very secure, as Data was able to get at it and take over the ship…
@ SafeNSane
Very good points to remember when creating a password. For awhile (way back when) I tried to make my passwords as easy as possible to remember and I used the same password for everything. It was very easy for my teenage son to figure out, once I realized this I tried a new approach. I used my coworkers wifes name and the birthdate of an old friend. My sone wasn’t too thrilled when he figure out his old mom outsmarted him. =)
I worked for a software company that gave everyone the same format for their assigned user names and passwords. SO, everyone in the company had a username: firstnamelastname!
and a password: !firstname*!
I couldn’t believe how literally stupid this system was, especially since it was a software company that created customer relationship management software!
@ SafeNSane
I know a few people who aren’t even tech savvy enough to recognize when their social media accounts have been compromized. They are all like: “Sorry about the crude message my Facebook account sent to all of you. It wasn’t me my Facebook is acting crazy”. Then when you try to tell them they should change their password because they are compromized they’re like “Oh, I couldn’t have got hacked, I didn’t give my log-in info to anyone”….SMH!
I can’t say that I’ve had anyone that I thought wouldn’t care that their account was compromised but I do know a copule who don’t seem to care if someone has access to their account because they see it as an intangible. That scares me.
it scarry but sad reality as not everyone able to follow and understand technology and changes… plus when internet get created…. it got created with idea of normal people would be using it… like scholars/educators… but this days it a free for all…
yes, same here… but this days during each security seminar/presentation I keep here it… one day your account will be hacked… sad reality now or in the future… unless technology changes… but I do not know…
interesting observation… from my point of view… this days everyone uses facebook as a master account to login almost everywhere… I do not trust facebook or twitter… it scarry… but most regular people just click yes… to connect everything under facebook/twitter/google… or even hotmail account – Microsoft…
Yes, I’ve seen that as well and I can say that given the choice I always create a new account rather than use Facebook to log in. That just seems like you’re asking to be spammed or have multiple accounts compromised at the same time and never know where the leak came from.
Most people careless since they do not value their information as sensitive until the expected happen.I always send emails online advicing my workers to consider changing their password once every month
This is true and we know that there is nothing like total safety , however little care and changing of our password at regular intervals will help a lot
My experience with end users has been that they will choose the easiest option available to them for the most part. You do have some savy users that get the idea that they should be more secure but then you have the 9 to 5 people who are just there for a pay check and dont plan on complicating anything. For those situations its best to have a baseline set and enacted on the network. Minimum length, complexity, and the period can all be set. But even then for the users who uses the same password for everything…
You have to think too of all the standard password recovery options out there like these free little email sites that let you reset your password with three security questions. Anybody who has a completely filled out facebook account could be easily succeptable to a brute force attack on their password. I would never have to break it, your mom is listed as one of your friends, and was nice enough to put her maiden name on her profile, you said where you were born, and even nice enough to put pictures of your favorite pet for the world to… Read more »
@ safeNsane
That is scary. Some people just don’t understand the importance of protecting their personally identifiable information (PII)…it is indeed very scary.
@ batye
The really bad thing about making everyones log in info so similar is that when someone leaves the company, they could still gain access to the company’s data.
@STACEY ESTEY Co. could get destroyed overnight… but no one will be blamed for it… as everyone do not use safety protocol properly… keep postponing changing pasword from week to month to next year…
everyone think they immune to security threat… but in reality nothing is truly/realy secure…
elen
January 13, 2014 6:36 am
It is completely our responsibility to make the passwords secure. To be more precise we need to have a very good security code that is used as password for various files and folders. I liked the video shared here on the need of secured password and how to make it secured
For the things that I am really concerned about I decided a few years ago to maintain a complex set of passwords that contained mixed case, numbers, and symbols I keep this posted in clear view on my monitor in the form of a pass code card that i got from http://www.passwordcard.org/en you have to select a check box to get symbols as well. You can choose a length of password from the card and just have to remember the corresponding numbers and symbols to complete your password. I have multiple copies of this one on my desk and one in my… Read more »
Watching the video that entire string is displayed on the console, this is about like writing it down on a post it note and sticking it to your monitor. So much for that being a secure password. I always tell people that the most secure password is one that you’ll remember and is not related to you in any way. If you were in the military don’t use your rank in the password, if you own cats or have kids don’t use their names or birth dates in your password and do not write it down, ever.
Challenge is that the more complex the password, the more the chance that people have to write it down, especially if you need several passwords (as you shouldn’t use the one password for everything).
Yes that is always a challenge but that is one reason I ask people not to use something that is part of their every day life, it makes them think and makes it stand out. Do they always listen, no but they don’t typically complain about password lengths because they aren’t trying to figure out how to take their cat’s 4 letter name and stretch it out to 8 characters.
A better method to manage your passwords is with a password management tool. As little as I access as myself and not some administrative account I can get by using the passcode card I linked to below. If your account is tied into lots of stuff then it is better to implement some type of password manager software. Here is a link to some below. http://www.pcmag.com/article2/0,2817,2381432,00.asp
they can be incredibly helpful if you have a lot of different things to manage and need to centralize it.
Choosing the same password for each of our online accounts is like using the same key to lock your home, car and office , if a criminal gains access to one, all of them are compromised. So not a good choice of choosing a same password.
It can be a small sentence with a mixture of numerics and alphabets.
We should be very careful while entering our username and password. Some times people enter their username and password in the same area forgetting to press Tab or scroll to the password section. When not getting signed in they enter their details again carefully and successfully signed in but they failed to understand that if some else came to the same system , they could see their username and password both in the username section. So we need to be very careful while entering our username and password. No matter how strong our password is , this small mistake can… Read more »
As we’ve seen recently using different passwords don’t do much good if the accounts are associated with each other. We’ve seen a few security issues where Facebook accounts or email accounts were compromised at the same time. The key is being aware and being ready to change your accounts when necessary.
@ safeNsane, I agree that the worst thing we can do to remember passwords is writing it down on a paper. This is essentially the first lesson we get when we start learning security. Things related to us like you mentioned a few of them are easily guessable. We must desist from using such things in passwords otherwise we leave ourselves vulnerable regardless of the length of the password.
Security, in my opinion, means unpredictability as well. The more unpredictable you are, the more secure you will be. Anything that doesn’t concern you in any possible way can be a very strong, almost unbreakable, password even if it is not that long or doesn’t contain a mix of lower and upper case letters.
But, back to the subject of this post, how secure was Data’s password? Not very. It did not use any uppercase/lowercase character modifications, or special characters (&%$#@). It was relayed to the computer verbally, allowing someone with good hearing and a pad and pen to grab it, and was easy to crack with brute force (by guessing letters and numbers). And it was echoed on a screen — what, no asterisks as place holders? Clearly not very secure, as Data was able to get at it and take over the ship…
@ SafeNSane
Very good points to remember when creating a password. For awhile (way back when) I tried to make my passwords as easy as possible to remember and I used the same password for everything. It was very easy for my teenage son to figure out, once I realized this I tried a new approach. I used my coworkers wifes name and the birthdate of an old friend. My sone wasn’t too thrilled when he figure out his old mom outsmarted him. =)
I worked for a software company that gave everyone the same format for their assigned user names and passwords. SO, everyone in the company had a username: firstnamelastname!
and a password: !firstname*!
I couldn’t believe how literally stupid this system was, especially since it was a software company that created customer relationship management software!
@ SafeNSane
I know a few people who aren’t even tech savvy enough to recognize when their social media accounts have been compromized. They are all like: “Sorry about the crude message my Facebook account sent to all of you. It wasn’t me my Facebook is acting crazy”. Then when you try to tell them they should change their password because they are compromized they’re like “Oh, I couldn’t have got hacked, I didn’t give my log-in info to anyone”….SMH!
I can’t say that I’ve had anyone that I thought wouldn’t care that their account was compromised but I do know a copule who don’t seem to care if someone has access to their account because they see it as an intangible. That scares me.
it scarry but sad reality as not everyone able to follow and understand technology and changes… plus when internet get created…. it got created with idea of normal people would be using it… like scholars/educators… but this days it a free for all…
yes, same here… but this days during each security seminar/presentation I keep here it… one day your account will be hacked… sad reality now or in the future… unless technology changes… but I do not know…
I seen almost simular things happening in Canadian transportation Co.when IT department/CIO… have no idea about even basic security…
agree with security you never know… and expect the unexpected… in my books you could never have too much security…
interesting observation… from my point of view… this days everyone uses facebook as a master account to login almost everywhere… I do not trust facebook or twitter… it scarry… but most regular people just click yes… to connect everything under facebook/twitter/google… or even hotmail account – Microsoft…
Yes, I’ve seen that as well and I can say that given the choice I always create a new account rather than use Facebook to log in. That just seems like you’re asking to be spammed or have multiple accounts compromised at the same time and never know where the leak came from.
you know, I know… but many people online do not care or make a choice easy way… and pay later for it…
Most people careless since they do not value their information as sensitive until the expected happen.I always send emails online advicing my workers to consider changing their password once every month
yes, you are right… beter safe than sorry… but soon each week we gonna have to change passwords.
This is true and we know that there is nothing like total safety , however little care and changing of our password at regular intervals will help a lot
yes, I think end user must be remind about security each time they login and do not want to change pasword…
My experience with end users has been that they will choose the easiest option available to them for the most part. You do have some savy users that get the idea that they should be more secure but then you have the 9 to 5 people who are just there for a pay check and dont plan on complicating anything. For those situations its best to have a baseline set and enacted on the network. Minimum length, complexity, and the period can all be set. But even then for the users who uses the same password for everything…
this is a big problem as many use the same pasword all over internet… hackers lol… but it sad reality…
You have to think too of all the standard password recovery options out there like these free little email sites that let you reset your password with three security questions. Anybody who has a completely filled out facebook account could be easily succeptable to a brute force attack on their password. I would never have to break it, your mom is listed as one of your friends, and was nice enough to put her maiden name on her profile, you said where you were born, and even nice enough to put pictures of your favorite pet for the world to… Read more »
yes, you are right social enginering is a big problem… as we expect everyone is normal online:)
@ safeNsane
That is scary. Some people just don’t understand the importance of protecting their personally identifiable information (PII)…it is indeed very scary.
@ batye
Your right, the internet really has become a free-for-all!
@ batye
The really bad thing about making everyones log in info so similar is that when someone leaves the company, they could still gain access to the company’s data.
@STACEY ESTEY thank you, but in reality we have scary life online… where is no one realy safe…
@STACEY ESTEY Co. could get destroyed overnight… but no one will be blamed for it… as everyone do not use safety protocol properly… keep postponing changing pasword from week to month to next year…
everyone think they immune to security threat… but in reality nothing is truly/realy secure…
It is completely our responsibility to make the passwords secure. To be more precise we need to have a very good security code that is used as password for various files and folders. I liked the video shared here on the need of secured password and how to make it secured
http://www.medicalbillingsrv.com