/* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

Your passwords - making them memorable but safe and secure

How to plan for and then Create, Store and Use Passwords securely

If the only action you take as a result of reading this page is that you take distinct approaches to your passwords for each level of risk that you are exposing yourself-to then you will have decreased your exposure to the consequences of using passwords to protect your assets - financial, reputational and many other nasty outcomes of password theft.

Just as you have different access protection on garden gates and sheds, garages, front and back doors and internal doors and safes it is imperative to have different tools, procedures and approaches to your use of passwords - appropriate to the risk! level.

All aspects of high risk passwords should naturally be handled with more care and attention to detail even if that makes them less convenient to use but crucially, there must be no possible "route" for a hacker to get to those (higher-level) passwords from ANY! lower-level passwords or assets / resources that rely upon them - e.g. e-mail accounts! Bear in mind that the hacker is a human opponent at a game of Snakes and Ladders (apologies to readers who are not familiar with the game!) and your goal is to constrain him or her to the lowest level (row) possible. Escalation to higher levels of password risk is explained below

Creating - what makes a password bad! and why!

Passwords are regularly hacked by a variety of methods, some of which are within your own control due to the attacking methods (below:) used to crack them. Bear in mind that any of the following are likely to be used as a starting point - hackers and more precisely their software! will combine numbers, transform letters to numbers and even combine the starting data when conducting an attack!:

  1. Publically accessible or Known Private Data harvesting - whether this is the names, pets, children, places, dates etc. from your entries on social media web sites (Facebook, YouTube, LinkedIn etc.) or your past addresses, dates, telephones numbers, cars registrations etc. from more factual web sites - assume that it can all be used as the starting point for attacks.

    It is important to understand the variety of sources of information as attack vectors - this range from a completely unknown miscreant in a far-off country with no more than basic web access through employees of companies that you have interacted-with through to ex-work colleagues, friends, associates etc..

  2. A WIDE variety of dictionaries - words of any language, names, places, many millions of known passwords from virtually all prior hacked web sites, sexual, vulgar and swear words. This is a simplistic description of how to hack a (weak) password.
  3. Brute force - although this technique works excellently when the attacker has access to the device where the password is stored (a relatively small file from your PC, mobile, web server where you have an account etc.) it can be slowed-down or even halted by a well-designed and managed web site. This attack can be countered by a combination of two password factors - length and variety of characters used. For professional web sites a length of 8 characters and 4 different character types - lowercase, uppercase, digits and specials such as: ',./?:;@ "%^&*()-_=+' would be sufficient as a strong password

Note that a strong password (level 3-5) must be able to resist all possible attacks:
Brute Force, Dictionary and any variant of Data harvesting AND the tweaking of characters as advised by SOME guides to password creation

An example of BAD ADVICE or judgement is here - but at least it IS labelled as the Internet for beginners! The column headed OK contains many lines with words / names that are NOT OK, the column marked 'Better' is only slighty better for those lines and the column headed 'Excellent' certainly isn't on several lines.

There is guidance on the creation of good passwords at our companion page: Passwords - best practices but of course there can be nothing prescriptive written without compromising the passwords created - hence it is expressed as ideas rather than rules and instructions.

Using - what causes a password to be compromised?

  1. Passwords you share between sites - many but hopefully not most web sites that require you to have an account store both your e-mail address and associated passwords in plain text format and have very little security to stop those details being regularly harvested by hackers. Sadly you only need to have just 1 account at one of the 10-30% of web sites that have so little security to open the door to all of your other web site logins sharing that e-mail address and password! Even if you DO use different passwords at different sites it would be worthwhile to read the final item in this list as you need to ensure that there is ZERO chance of anyone compromising a high risk site as a result of knowing your passwords at lower levels!
  2. Simply visiting! web pages - although many people assume that they are safe from malware as long as they don't click upon (or worse - download and Run!) links that 'appear' to be 'bad' - that is WRONG - malware can steal information from other web pages and logins on other web pages! This is particularly dangerous in two circumstances, the first is obvious:
    1. When you have a window open (anywhere else in that browser!) to a web site that is high value and/or risk to your life, finances etc.
    2. When you are using web-mail such as BT/Yahoo, Googlemail, MSN, Windows Live, AOL and most Broadband providers (ISPs) such as Talktalk, Sky, Virgin, Tiscali,

      The latter is almost as bad as the first - once a hacker has access to your e-mail they have access to your whole on-line "world" because of the prevalent use of e-mail for resetting of passwords etc..

  3. Key logging or other Trojan malware - malicious software used to be "in your face" but now that serious, organised criminal teams are using malware for commercial gain the obvious switch has been made to covert / hidden operation so that their foothold on your device (PC, mobile etc.) can be used for long-enough to inflict serious damage on their victims and their friends and families! as an infected user is an ideal conduit to their next victim. Note that a subset of this attack is the use of Keyloggers in Internet Cafés where although the attack is limited it can still yield disasterous consequences depending upon the passwords used/stolen.
  4. Capture of passwords when using public Wifi (Hotspots) - this is now prolific - especially for social networking sites when used by mobile devices - increasingly smart phones but Laptops are very often totally insecure too. There is even a Firefox plugin to enable a Laptop user to do the identification of available victims and subsequent hi-jacking of their session! The capture of login passwords is not available at all of the (30) web sites that it supports.
  5. Trusting the Server when it (or the connection to it!) can be compromised - although the actual fault is with the integrity and/or competence of the site owners, their management and suppliers - it remains YOUR choice as to who to trust with what password(s) - and levels of password - see below! This is difficult to convey to anyone who is unfamiliar with computing infrastructure and in particular security aspects of it and to do so on a web site is perhaps one of the worst places to do so for a wide variety of reasons but it IS important because web sites with very, very large numbers of users are being reported as hacked every week and month and no-one knows how many cover-ups are happening that keep some of the very largest institutions of the planet out of the press on this topic.

    Protection against this type of attack is not directly within your control but your best defences are to:

    1. 'buy time' and at least enough to change all other passwords that could in any way be compromised - keeping your passwords distinct on each site will probably take you out of the 'low hanging fruit' category. Also see the next item regarding password 'levels'
    2. Make it more difficult for hackers to exploit - a simple but significant action would be to have more than one e-mail address - see below.
  6. Allowing hackers to escalate to high risk level sites from lower - as stated as the first point above - if you use the same password at multiple sites you are inviting hackers to strip you of the assets they protect. IF you have planned your use of password risk levels and what resources each (level) is going to contain - see above - then you are more resilient BUT you need to keep those levels extremely well separated - see below.

    Explaining this notion of levels of risk is best explained by example. Assume that 1 is the lowest level (very little or NO risk) that you need and 7 is the highest where 3 and/or 5 would be intermediate. 3 would be used for the majority of sites at which there is any significant risk - even as simple as someone impersonating you in an on-line forum but you can't be certain of the integrity and competence of the site, owners and/or management. You might use 5 when the latter is known to be good - examples of sites here would be any site that held any of your credit or debit card details. Level 7 would be for financial and other important sites where THEY (as well as you) would potentially lose a lot of money and/or customers if they failed to keep your passwords, data and assets safe!

    I suggest this numbering so that 9 could be reserved for technologies sometimes called (password) 'safes' which are available in on-line (e.g. LastPass, RoboForm etc.) and device-specific versions (e.g. KeePass - multi-platform) - obviously IF you used such a tool then the compromise of that would probably be disasterous although one possible usage would be as a facility to store the dozens of level 1 (or 0!) passwords that a typical on-line user 'accumulates' over the years and that would then NOT be such a high risk.

    Q. How can hackers escalate their attacks to the higher level risk sites you have defined? - this is the closest that this page will get to giving an example of an algorithm you might use to create passwords - NOTE that it is deliberately NOT a good example! as it has obvious flaws. Note also that this is defining a 'Level 1' algorithm so that it can then be used as a reference to what would make it easier for a hacker who 'cracked' this algorithm to escalate to sites at your higher levels of risk.

    A sample algorithm for a Level 1 password for a ficticious site - www.chatbored.ltd.uk (don't check the .com!):

    1. First 2 characters (of all 'my' level 1 passwords) are always 'l1' - that is lower case 'L1'
    2. Next 2 characters are taken from the web site name after the www. or secure. or similar prefix - in this case 'ch'
    3. Next 2 characters are 'my' year of birth, say '88'
    4. Last 2 characters are 'my' initials in upper case, say 'DC'

    For a password which is guarding resources / assets that is regarded as little or no risk ('Level 1') - the password above is NOT THAT BAD when compared to this 5 page report on Bad Passwords where 300,000 (1%!) used the password '123456' and 60,000 used 'Password'.

    But the issue is how easy it now is for anyone! (they were published to the web!) to use those 32 million! passwords to login at any sites that are of more importance / value!

    Returning to the weakness of the example above - given the amount of personal information that is available on the web it would not be difficult for a hacker who had stolen the above password (l1ch88DC) from an unprotected site to then explore other sites at which you might have a login and to get a good idea of what your 'Level 1' algorithm was. However - even a small hurdle that needs human intervention will probably be enough to delay an attack on your other credentials.

    The escalation risks (i.e. if your next or even higher level passwords were constructed similarly) are at least the following and I have deliberately left out some and included some unlikely ones so that this page is of little or no use to hackers, only numbered for ease of reference:

    1. Using multiple sets of two characters
    2. Using 'l' followed by a digit at the start
    3. Using the start of the web site name
    4. Making the next 2 characters digits
    5. Using a year or even worse the same year (e.g. Date of Birth)
    6. Using initials or even worse the same initials at the end
    7. Making the last 2 characters upper case

    Additional methods of keeping levels of risk separated

    Having a different approach (algorithm) to the creation of passwords for different levels of password is just one technique to make it more difficult for a hacker to exploit any loopholes or exploits.

    The list below hasn't been thought through as at 11th June 2012 but I am sure that I and others will add to it in coming months and years. Again, only numbered for easy reference:

    1. Having more than one e-mail address is a very, very useful technique that obstructs hackers. The reason this creates at least a short term barrier is that more and more web sites use an e-mail address as a (login) user name and the combination of that with the password is needed to login.
    2. Having many e-mail address is a perhaps(?) even more useful and can be simply be enabled with the purchase of a personal domain. The reason this could be even more secure is that the e-mail address using for a particular web site can be completely unique and dedicated to that particular use and may be very, very difficult for the hacker to know.

    Anyone wishing to contribute to the list above is welcome to do so as I am quite certain that more contributers will improve this page for all readers.

    This page © Business before Technology 2011-2020 - see the respective sites of the owners for their copyright as well as terms and conditions

    Links and other information last validated on 22nd May 2012. Please use the Contact us page to suggest any additions or revisions.

Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
14Jan16: not 0 or 0 !