Pass the Password
It’s only been a few weeks since one of the biggest ever hacks saw passwords and other user details stolen from no less than Yahoo. Yahoo have said that they believe the attack was “state-sponsored” but that credit cards and bank details were not stolen.
500 million users!
It’s been a few years since Yahoo was the internet’s home page of choice and it is easy to be unkind to this fallen giant – who thought Yahoo still had 500 million users to steal details from? Nevertheless, the Yahoo hack comes hot on the heels of another of the internet’s big beasts, LinkedIn, which suffered a similar fate in May 2016.
In this case, the data was hacked in 2012. Given the lead time, it seems probable that many other sites have been compromised and we just don’t know about yet. On that cheery note, Tandem think it’s never a bad time to review your passwords.
Here are some suggestions about how to put together a good password:
- Longer is better – some websites have length restrictions in any case
- Make it alphanumeric, but don’t just stick a 1 at the end and avoid birthday dates
- If applicable, throw in some capital letters – not necessarily at the start
- You can use memorable words, but preferably scrambled in some way, e.g. song lyrics, several words combined together
- Use the same core password, but with a unique twist for every site, e.g. for Facebook, add an extra “fb”
- Try a password generation website (e.g. passwordsgenerator.net) where you can specify the length of password and the sort of characters
Passwords should never include:
- your own name (e.g. JohnSmith)
- names of family or pets (e.g. snuffles)
- favourite TV shows or sports teams (e.g. gameofthrones, football)
- any word in the dictionary spelled in the usual way (e.g. aardvark)
- alphabetical or numerical sequences (e.g. abcdef123456)
- password, password1 etc.
- admin, administrator etc.
A beautiful and unique snowflake
Ideally all your passwords will be unique, so that if a hacker gets hold of one they don’t suddenly possess the keys to every part of your particular kingdom. Everyone is told this, but if the hacks show us anything, it’s that surprisingly few users follow this advice in reality. You could use a core chunk of password with unique variations as required.
At the very least, you should take extra care to come up with complex (and unique) passwords for your main email login and a different one if you have online banking.
Online banking speaks for itself, but your main email account is probably more important. Consider what happens if a hacker gets in here – every other account you have will have its password reset emails sent here. If this central domino falls, the others, grimly and inevitably fall too.
One reinforced basket
If you have a lot of passwords to use, there is password management software. One of the best known of these is LastPass. This can be useful for businesses to share passwords around those who need them, whilst avoiding passing the information in an unencrypted fashion.
Don’t forget the password for this.
Password for the Future
The concept of the password is virtually as old as language itself. Periodically there are doom-laden predictions of the death of the password, or at least its slow lingering demise. There is no prospect yet of this actually occurring and in any case, passwords rarely operate in isolation these days.
Two factor authentication (what the user has and what the user knows) like additional security questions or phone verification add security muscle. The captcha is a real opinion polariser but provides some resistance to brute force attacks.
Perhaps the most interesting developments are biological identifiers such as finger prints and retina scans that may well make inroads in to the password’s traditional domain in the future.