Time to reset your Password (again!)

We’ve see a lot of change your password announcements this week, and firms that have admitted to having their password security breached have tumbled like dominos.

It started big with the news that 6.5 million passwords had found their way out of Linkedin, and then spread to other web sites like dating place Eharmony and music service Last.fm.

This might be just the tip of the iceberg, too. There are rumours in the wild about other web sites that might also be affected, meaning that other users could also be at risk. Over the course of this past week online passwords, the way they are stored and the way they are protected, have been proven to be something of a joke.

Linkedin was found to be using encrypted but unsalted passwords, something that earned it the response from the security community -“It is not enough,” and “You goofed” and finally “If they had consulted with anyone that knows anything about password security, this would not have happened.”

The passwords, even though they are protected in some way, are being cracked right now, and the unsalted bag of 6.5 million login credentials is falling day by day.

The message from the victim firms is that they do treat security seriously. For example, they won’t be emailing any links to password changing web pages, in order to thwart phishers. But do they really have good security? And isn’t it too late anyway?

They’ve chosen to spin out the same old messages about how important the users’ choice of a password is. It should be long, complicated, changed regurlarly, uncrackable, and memorable.

It’s the last part that is a problem. If you can remember a password then someone can probably guess it. Most people can’t remember their own mobile phone numbers these days, nevermind a complex string of capital and lower-case letters, punctation marks and numbers.

One solution to this, and one that I am considering trying, is to write a password on a rock and throw it into the sea. That way no one will stumble upon it, and you will know where it is when you need it.

Well that’s not really a solution.

Another staggeringly complex solution would be to give your password to a friend, but not tell them what it was for. Under this system a friend, we’ll call him John, would have your login to Twitter for example, but not know what it was for.

You would have to assume that he would not be curious enough to try it on any of the big web sites, and rely on him to tell you what it is every and any time that you need it.

This would work like the automated password request option you find on most web sites, but would not require you to rely on a third party provider that has better things to do with your data, like sell it for example.

The “John System” as I am temporarily calling it, relies on you staying friends with your friends.

In the meantime, the more random a password you use the better. If we can’t rely on companies to encrypt them properly then it is up to us to do as much as we can to make them into the sort of cryptic puzzles that keep mathematicians drinking coffee.

Random password generators are good for this, because they remove any trace of personality from your choice of password, making it harder for people to guess them using social engineering.

Or you could chose to only join those web sites that you think you can trust. This might only be a small list, but hey, that’s the nature of the internet. You can moan all you want about what happens to your data after a security breach, but if you’ve chosen to use a weak password on a crappy web site then you are doomed from the start.

The internet isn’t a theme park, it’s the Wild West

 

Advertisements

About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: