Password Security

An article in the Metro newspaper I picked up on the tube recently once again made the point about just how easy it is to hack most peoples web accounts.

I know this is true because, even though I know better, a little over a year ago I was sharing a password between multiple sites and my Apple ID got hacked. They got £30 of gift vouchers and Apple didn’t refund the money – I got away lightly – a friend lost over £100!

But it’s not just the financial loss, you could well be putting your friends and colleagues at risk too! If your Facebook/LinkedIn/Hotmail account is hacked then this can be used to post to your friends – “visit this site” or “open this document” and because it comes from you, someone they trust, they open it – but this installs a virus or a trojan and their credit card is stolen and their details are exploited – and it is partly your fault.

So what to do? Well the first thing to do is make sure every and every site you use has a different and difficult password. Here is an example of the type of thing I mean:

/hFh=e5FvXx9-85YTeH6-Q5hq:-S<9

and I have over 350 logins to deal with!

This is not as difficult as you might think. I use a password management application. In my case it is mSecure but this there are plenty out there to choose from (see a list at the bottom of this page). Most of the packages offer a desktop and smart phone version and allow you to sync them up (which you should do regularly).

Typically you fill in four fields; A description e.g. the site name, the URL of the site, your username and your password. One of the main features here is that the app can generate a password for you. My default password setting is for a generated password to be 30 characters long with a mixture of upper and lower case characters, numbers and special characters, just like the one above. When you need to use this password you can just cut and paste it from the app into the password field of the website and not have to worry about typing it all out.

When I started using a password manager I made sure that for a couple of weeks every time I went to a website that it was in the password manager – very quickly I had done the majority of the sites that I use – but I still keep finding the odd one that I haven’t changed yet.

Of course this is not perfect – you now have all your passwords in one place and you could lose you phone etc. so here are some of the other things that you need to do to make it secure

  • Make sure that the app you use autolocks after a short time
  • Make sure you set a secure (memorable) password for the application
  • Make sure your telephone locks after a short time
  • Do not use your credit card pin for your phone pin
  • Do not use your alarm system pin for you phone pin
  • Enable the ‘Find My Phone’ and  ‘Remote Wipe’ features if your smart phone has one (e.g. Apple)
  • Use a ‘wrong’ answer for popular reminder questions –  What is your mothers maiden name? slartibartfast – why because the real answer is a matter of public record
  • Don’t use pattern pins and passwords e.g. 0000, 1234, 2580, etc.
  • Don’t use familiar words – family member names, car registrations, telephone numbers, etc.
  • Change your passwords periodically

Some other considerations:

  • Do not use your work email address for any personal transactions – setup one specifically for this with someone like Google – but make sure it is someone you feel you can trust.
  • Setup the recover password options on your private email just in case it gets hacked
  • Make sure that your e-mail password is really secure – if I can use your e-mail I can then visit other websites and reset your password by asking the website to send me a new one because I have forgotten the old one.
  • Avoid saving your contacts and credit card details – you might keep them on sites you use regularly but many sites you will only ever use once and they don’t need to have this information
  • When making transactions on the web make sure you use secure sites (i.e. with https:) wherever possible.
  • When you get rid of a computer or smart phone make sure you wipe it – check with someone if you are not sure how to do this
  • Make sure that social networking accounts are set up for privacy and are secured as much as possible
  • If the site offers Two Factor Authentication – use it!  e.g. PayPal lets you log in but before you can see any information it sends you a text with a four digit pin number in it. Only once you have entered your username, password and the pin will it let you see any information
  • Don’t save passwords on computers – or if you do only save passwords on computers you own and preferably that need a password to log into as well. Be aware that when using a public computer or a friend or colleauges computer that they may have set it up to automatically save passwords without prompting you.
  • Shred any paperwork you would put in the bin – especially printouts from your on-line shopping

So there it is – just a start to making life a little more secure – there is much more that can be done but life is a balance of the risk against the convenience and despite everything that is said about protecting yourself very few of the people do even the most basic things.

And if you are wondering what that has to do with Data Management & Warehousing – the answer is very little but I constantly seem to be asked about this by friends or receiving e-mails from friends where there account has been hacked! You might also like this article about Facebook – An Introduction To Social Network Data. If you are interested in Business Intelligence, Management Information and Data Warehousing feel free to look around.


What the future might hold …


And what xkcd.com makes of it all


Other Password Managers

Here are some password management applications I am aware of – I’ve not tried them (other than mSecure) so this is not an endorsement of any of them

When you are looking for a password management application check that:

  • It stores the data in an encrypted format
  • Does not share any data with their website
  • Automatically locks the application after a short time
  • Requires a separate password to use the application
  • Can sync between your desktop and smart phone if you have one
  • Is downloaded from a reputable source (e.g. the Apple App Store)
  • Check that the app has an autowipe feature if the password is entered incorrectly too many times

3 thoughts on “Password Security

  1. A friend, Jonathan Jenkyn, who works in computer security mailed me after seeing this blog post to say:

    I use LastPass for my password management for the following reasons:

    1) Same key gen facility as mSecure, but it has cross platform browser plugins to fill forms in for you automagically, and also a website to access if all else fails to get your details out

    2) It uses 2 factor authentication using the Google Authenticator on iPhone and Android… awesome!

    3) iPhone app so I can get to passwords wherever I am.

    4) They had a break in about 2 years ago, within minutes of the breach they came clean and told the customer base what went wrong, how the breach occurred, what was stolen and what they were doing to remedy the situation. I’m highly impressed by that!

  2. Gareth Husk says (on Facebook) “Personally I use 1password but I’m still struggling to find one to use at a team level for my ops guys – any suggestions? Would need to at least record accesses and sync across desktop and mobile.”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.