Comment: Why we still fail the online security test
By Peter Norrington, University of Bedfordshire
It’s as easy as “123456”, or so we’ve learned from Splashdata’s annual worst password of the year list.
Slipping down to number two in this most recent list was last year’s favourite, the ever-popular password, “password”. It might be funny to laugh at the fools who use passwords like this but is your record really any better?
The top 25 list makes delightful reading: iloveyou, letmein, monkey, shadow, sunshine and princess all feature. If you prefer to lock up your data with numbers, there’s the full range, from 1234 to the ingenious 123456789. Or if you’re feeling powerful, how about admin? That’s a long-time favourite.
There’s a very simple point behind the use of passwords like this: we go online to get things done. We share photos with friends and family, shop, bank, book holidays, read the news, and, of course, work. We don’t go online for the joy of setting up a username and password. All we want is to log in and get on.
Advice to create “strong” passwords like XF8!#Sr fails because we won’t remember these a month, or even minutes, later. We do like passwords that are easy: birthdays, people’s names, pets, the name of the website we’re on. But these are surprisingly easy for other people to work out. And talk about “good” passwords doesn’t make any difference if you’re not convinced it’s worth the effort.
Letting people into your accounts has consequences, from the annoying to the dangerous. They can change information for a prank, like saying your relationship has ended when it hasn’t. But they might also order goods in your name or take your money. They might even send porn to your boss, stalk you or talk about you in the press. There is also information in your accounts about your family, friends and colleagues, so it’s not just you at risk.
What makes a strong password?
According to Tony Neate, head of Get Safe Online, the government initiative to help the public understand what they you can do to protect themselves, even using a password as simple as abc123 is better than having none at all. Do note though, he’s not actually saying use abc123. You’ll notice it’s on the worst of 2013 list already.
There are some simple rules to building good passwords that you should follow though. Do use eight characters or more, since short is always weak, and do use phrases. It helps if they’re ones that mean something to you, but other people wouldn’t know. Or make up a nonsense one, like greenideassleepfuriously. Don’t use this exact one; it’s got history.
You could also use abbreviated phrases and, again, they’re better if other people don’t know them. Spot how this, gNdSsPfY, relates to the phrase above. And when you decide on your password, it’s best to use a mix of lowercase and uppercase letters, and numbers and to add in some other characters (like ! @ %).
What you really shouldn’t do is use a single word, not even ones you think no-one else knows. They are all in a dictionary and can therefore be found by potential hackers or thieves, especially when they use automated techniques to test out all the different options in a matter of seconds. Even if you think it’s smart, remember that foreign words are also in dictionaries. So are names of people, places, your favourite club and your company name.
And a note to mobile phone users who connect dots on a screen to produce a shape that unlocks the device: while these can be easier to use, it isn’t yet clear that they’re any safer than a password or code in the long run. Humans like patterns, so we draw simple shapes, like squares, and even use letters, say a big X. We are predictable animals.
What else can I do?
Biometrics use fingerprints and face recognition to secure devices and information but their uptake has been limited so far. This type of technology generally still works best in controlled environments, like airports.
Password managers are also an option. These store lots of easier-to-remember passwords in a file or system with one much stronger password. Generally, to use these you have to pay money and indeed, companies such as Splashdata offer services like this and benefit from worst password lists. This isn’t a surprise; they are putting in effort to make something that works.
There’s also research into alternatives to text-based passwords which might offer a ray of hope to those of us who can’t move on from abc1234. Examples include clicking or tapping on different parts of a picture, solving puzzles, and recognising faces. The general idea is that humans are better at remembering images than words or jumbles of characters.
If you choose easy passwords, sadly, you do leave yourself open to other people’s bad intentions. But it isn’t just down to you as an individual, and blame doesn’t help. The web is becoming part of so much of our lives but is still new to all of us. Being safe and secure online has to be learnt and taught – and not by accident or magic.
Initiatives such as Get Safe Online are part of the education we need as a society. So is accessible education for people of all ages and backgrounds. Organisations, commercial or not, need to play an active and responsible role in keeping people’s data secure, and making sure that passwords are used well.
In fact, the worst passwords of the year lists are informed by the mistakes that companies, not users, make. Splashdata was able to identify what the most commonly used passwords were in the first place largely because software company Adobe lost data on 150 million customers.
We should work to inform ourselves and share information with those around us about how to keep our information secure. Just don’t share your password.
Peter Norrington received funding from The Engineering and Physical Sciences Research Council (EPSRC) and Kinetic Solutions Ltd. under Industrial CASE Training Grant 4302508.