Tel: 01865 748197 • email help@theflyingdoctor.biz • www.theflyingdoctor.biz
©The Flying Doctor 2015
TM
Click for your Flying Doctor
Ten things you really need to know about Passwords and PINs
They can be very secure if used properly. Users think they have great passwords, but 91% of people use a password from the top 1,000. So that reduces the work of an attacker an awful lot.
Here’s a recent list of the top twelve:
Now how do you feel?
There are two traditional methods: the dictionary attack and brute force attack.
The dictionary attack just tries all the words in its dictionary to see if one of them works.
The brute force is similar but just uses random strings, which will include symbols and numbers.
But the rise of social media has opened up a whole new route: they just look at your profile and try stuff on there as a password: look at 10 above, for example. Even worse they probably will find the answers to your ‘security questions’ on your profile and just contact the website, email provider or whatever to retrieve or, worse, change your password.
Any password can be cracked - eventually. We need to make it hard enough for it not to be worth the while. A seven-letter word password like ‘everest’ can be cracked within two seconds on a computer just like you have and these guys use serious power, so we need to make it harder. The answers are length and complexity. Add characters, insert numbers and symbols.
To demonstrate, @V@r@st takes 48 seconds to crack rather than two and whu2sn4lu8 takes ten days
And use different passwords for different sites or at least have small groups of sites using the same passwords.
1. 123456 |
2. 12345 |
3. 123456789 |
4. Password |
5. Surname |
6. 1234567 |
7. 12345678 |
8. abc123 |
9. first name |
10. pet's name |
11. 654321 |
12. qwerty |
Writing the password on the computer is one way, but not the best.
There are a number of password vaults on the internet like lastpass and 1password. These generate complex passwords for you and will automatically fill them in when the site requests them.
We are putting all our eggs in one basket, so we need to protect the basket with a strong password that we can remember.
The password needs to be random, but memorable. Try this: Think of a phrase or sentence that you know well, with at least eight words. Take the first letters.
Now you have a random sequence, say ‘asagmcttaotp’.
Next, capitalise every second or third letter ‘AsaGmcTtaOtp’
Now change some letters for numbers or symbols ‘As@Gmc2tA0tp’
That’s a pretty secure password that you can remember.
We’ve now got secure passwords that are hard for the bad guys to guess. So what do they do? They send us an email asking us to tell them what the password is.
Surely you wouldn’t tell anyone would you? Well, other people do. Here’s an email that I received a while ago:
Dear customer,
Your Apple ID was used to sign in to iCloud on an iPhone 4.
Time: February 12, 2014 Operating System: iOS;6.0.1
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
Apple Support
What would you do? Well:
• 47% of people surveyed said they merely evaluate the look and colours of a website to decide if it's legitimate.
• Only 45% said they verify that the web address (URL) is correct.
• 6 percent of respondents admitted they don't check anything.
So vast numbers of online users do go to these spoof sites and enter their information, yet they wouldn't give their PIN to someone who rang up.
• always enter a webaddress yourself if you are at all unsure
• hover over links to see the url. In this case it goes to:
http://www.altlinks.ru/temp/.apple/ Not what we thought!
Crikey, they must be safe, been around for ages. And they use four digits!
Well, that’s only 10,000 combinations. The machine usually gives three goes, so there’s a 1 in 3,333 chance of being right.
And we make it even easier for the criminal: a recent study showed 11% of PINs were ‘1234’, ‘1111’ was 6% and with ‘0000’ that's 20% of all PINs are one of those three numbers.
You have to remember a PIN and it is four digits. That means many people use a year, so the PIN is likely to be ‘19’ followed by a high number or ‘20’ with ‘00’-‘14’. This reduces the number of combinations to about 70 and 14 respectively. And these years will be all over your online profiles to make it even easier. So that’s a bad place to start.
Using a day/month combination isn’t much better than a year. You need to create what appears to be a random sequence. But avoid ‘2580’ that’s straight down the keypad and the 22nd most popular PIN.
One method is to use a number that you link to someone other than yourself, such as part of a friend’s phone number;
Another is to use the last digit of four dates that you can recall. So:
1952
1971
1986
1997
gives you 2167.
For the especially paranoid, take each away from 10, to get 8943.
The important thing is to move away from single dates.
Keep secure by using unpredictable sequences and find ways to remember them.
Passwords and PINs are made more secure by length (if you have a choice), randomness and range - numbers and symbols.
Be careful of what information you put on on-line profiles.
And finally, banks and other big companies don’t ask you for your password or logon details in an email.
So just be careful out there!