Creating the perfect passwords
Hackers have now managed to decode more than 11 million encrypted passwords from the Ashley Madison website attack.
This is just one example of flawed password security.
The government agency GCHQ has recently published a new password management guide, which is designed to ‘improve security, while improving the usability of systems.”
So how can you create the perfect password?
“Secure systems should not just rely on a single password, but have additional technical controls which the system owner can use to detect abnormal behaviour and protect the user’s account.”
Many websites now demand complex passwords, consisting of a mixture of upper and lower case letters, numbers and symbols. However, the report suggests that complex passwords may actually be counterproductive now, as people tend to write them down or reuse them over multiple websites in order to remember them.
Many websites now force users to change their passwords periodically, so that any leaked passwords are only temporarily useful to attackers. However, the report suggests that this leads to people using incremental passwords and to use the same password on a number of websites.
It said enforcing regular changes “imposes burdens on the user” and “carries no real benefits as stolen passwords are generally exploited immediately”.
“Regular password changing harms rather than improves security.”
Some security experts have suggested that users adopt passphrases as a method of remembering complex passwords. Passphrase examples include ‘IL1kefr13dCh1ck3n’ and ‘OnC3Up0nAT1me’. Passphrases provide a greater level of security from brute force attacks over traditional passwords. Brute force attacks are when a computer tries numerous combinations of passwords until the correct one is found.
“A longer password is preferable overall, but that has its own problems,” Dr Sasse told the BBC.
“More than 50% of passwords are now entered on touchscreen devices, and longer passphrases create a significant burden on touchscreen users.
“Passwords are rarely cracked by brute force. They are mostly captured through phishing and malware, and with those attacks it does not matter how long or complex your password is.”
Two factor authentication
Many websites now offer an additional layer of security through two factor authentication. In addition to entering the password you also enter a single use code which is typically sent to your mobile phone or email.
“This offers a substantial improvement in security, so if it is available you should definitely consider it. Many banks insist their customers use it,” said Dr Murdoch.
“Never reuse important passwords (like for online banking) on other websites,” said Dr Sasse.
“Not all websites protect their passwords properly, or your password may be captured by malware. Use unique passwords with a password manager to keep track of them.”