AVG (AU/NZ)’s Guide To Password Best Practice
Melbourne and Amsterdam, 17 August 2010. It’s sad fact, but people don’t take passwords seriously enough. You could almost write a comedy sketch about the ‘obvious’ passwords that so many people use. A password consisting of the numbers “one to 10” is not uncommon, as is simply the word “password” or “admin” or the user’s first name. Last year, 20,000 Yahoo, AOL and Hotmail passwords were hacked only to find the most popular password was ‘123456’!
Lloyd Borrett, Security Evangelist for AVG (AU/NZ) says, “Using the name of your first pet or school, your birth date or your mother’s maiden name, is not smart either as this information is often favoured by banks as a means of identifying you. Putting it out digitally in any form (even if that is onto a comparatively secure website or not) is simply not good sense.”
“To continue reading this piece, please enter a password. If you do not have a password please create one now of at least eight characters in length. Please use a combination of CAPS and lowercase letters and numbers.”
How familiar is that? How many times do we see those instructions and just blindly type in something meaningless so that we can continue surfing?
Borrett continues, “The problem is that there are so many ’light’ password gateways today. Web sites seek to create ‘sticky’ pages that users will repeatedly revisit by offering password access only. But these gateways obfuscate the importance of the ‘heavy’ passwords that you need to keep close to your chest and that you need to create intelligently.
“Just to be clear, there is no industry de facto term that defines a ‘heavy’ password – we are simply drawing a distinction between a casually used password that might for example let you view an online news item, to that of your online banking password which should be ultra-robust and definitely not the same as the one you use to access social networking sites like Facebook.“
So What Makes a Good Password?
Firstly and most importantly of all, a good password is a password you can stick with. You do not have to change your password every 90 days (or however often you have been advised) but you could do. There are no ground rules on this one and the jury is out from a technical perspective as to whether this process simply opens up more hacker gateways or whether it closes them down.
What is important is that you are supremely obscure. Don’t use any of the cardinal numbers in order, even if you start at 3, 4, 5. Don’t even use them in sequence as in 3, 5, 7. Use them backwards and interspersed with letters (both upper and lower case) and characters from the top line of your keyboard such as !, #, – and *, for example.
But that is just the start. If a hacker has managed to steal a copy of your password, it is most likely that he or she will only have an encrypted value of your password. The hacker will start using password hacker systems, which will initially attempt to use human language dictionaries and human behaviour logic to crack your secret code.
So be as illogical as you possibly can be. Don’t use the word ‘frogspawn’ when you could use ‘spawnfrog’ and so on.
“Carrying that ‘illogical’ theme forward, use your brain to outwit any computer password hacking software. Humans are visual thinkers, so this means we can visualise clearly in our own heads something that might not be part of the real world,” Borrett says.
“Have you even seen a purple elephant? Neither have I, so that’s a good image – and therefore a good phrase to use. Why stop at purple, let’s choose a more creative colour such as ochre, fuchsia or puce. Why stop at elephants, let’s choose echidnas, possums, wombats and so on.
“Of course, some security experts say that we shouldn’t use any dictionary words from any language in a password. One way around this is to use product names and numbers instead. Most of us can easily visualise obscure products we own (e.g. scuba diving regulator) and recall its product number (e.g. Apeks XTX200). Then we just mangle the product number a bit.
“So let’s be clear – we are not saying that ‘OchrE59EchIdnA18!*’ or ‘ApEx!xtx-2o0’ are not the best passwords you’ll ever come up with, but it’s certainly going to help you if you think along these lines,” Borrett concludes.
Seven Steps To Password Perfection:
1. Don’t use cardinal numbers in order: 1,2,3,4,5 etc. is not clever.
2. Think illogically; computers rely on logic to operate.
3. Be obtuse, think outside the box, invent a new word!
4. Never use your mother’s maiden name or any password that your bank might use.
5. Mix keyboard characters such as the asterisk with letters and numbers.
6. Use a mixture of upper and lower case letters.
7. Always change default passwords from ‘password’ or ‘admin’.
And lastly and very importantly NEVER tick the ‘remember this password’ box.
AVG (AU/NZ) has a comprehensive range of security tips for home and business users on its web site at www.avg.com.au/resources/security-tips/.
About AVG (AU/NZ) Pty Ltd — www.avg.com.au
Based in Melbourne, AVG (AU/NZ) Pty Ltd distributes the AVG range of Anti-Virus and Internet Security products in Australia, New Zealand and the South Pacific. AVG software solutions provide complete real-time protection against the malware, viruses, spam, spyware, adware, worms, Trojans, phishing and exploits used by cyber-criminals, hackers, scammers and identity thieves. AVG protects everything important and personal inside computers — documents, account details and passwords, music, photos and more — all while allowing users to work, bank, shop and play games online in safety.
AVG provides outstanding technical solutions and exceptional value for consumers, small to medium business and enterprise clients. AVG delivers always-on, always up-to-date protection across desktop, and notebook PCs, plus file and e-mail servers in the home and at work in SMBs, corporations, government agencies and educational institutions.