Safe and Secure


Many years ago, I got a book called The Hacker's Handbook for my birthday. It was full of rather vague suggestions - presumably highly censored - about breaking passwords, finding backdoors, and exploiting common weaknesses in the human element of computing.

Have you ever used one of these as your password?

  • 12345 (or some variation)
  • 111111 (or some variation)
  • Stonehenge
  • Hypodermic
  • God (yes, "God" is an amazingly common password - though I've never heard of "Jesus" being used)
  • Sex (hah)
  • Fred (four letters next to each other on the QWERTY keyboard)
  • Secret (a common default password)
  • Password / Pass (another common default)
  • Blank / Empty
  • LetMeIn
  • [An actual empty password] (I did use this one once, but only by accident)
  • [Your pet's name]
  • [Your significant other's name]
  • [Your mother's maiden name] (some people think they're being really crafty with this one)
  • [Your mother-in-law's name] (very common, for some bizarre psychological reason)
  • [Your own fucking name] (I've seen seasoned professionals do this)


If the answer's yes, I hope you're not in charge of any computer security.

Anyway, one message came across loud and clear from that little book: Perfect security may be impossible, but you can get as close as humanly possible by:

(1) Avoiding obvious passwords
(2) Not having computers unnecessary networked
(3) Proper physical security - a strong lock and a single key with you at all times saves a lot of trouble, and finally...
(4) A team of highly trained, highly paid computer security experts, working in shifts so someone's there at all times.

Guess which of these get treated by banks as "unnecessary expense"...until they get hacked?

Oh, and there's one other measure you can take - something so obvious only a professional consultant could miss it. Don't write anything down unless you really have to. Use your memory.

The British government may think it's okay to leave state secrets in taxis and lose CDs of everyone's personal details with the access codes written on the disc several times a year...but you don't have to.

Now, for the single user, or even the small business, security comes down to firewalls, virus scans...and, yes, passwords. And if you're anything like this single user, you've been using the same set of passwords for years - because they're the ones you first thought of, you're used to them now, you can't think of new ones, and you reckon no one else could guess them anyway. Although they probably have.

And because it's a lot of bother to change them. I changed all my passwords last night - Ten email addresses, five forums, ebay and (the typically unhelpful) paypal. It took three solid hours, none of which were remotely enjoyable.

The now replaced passwords were, amongst others:

  • A numerical character from my favourite TV show
  • A lovely band I once did a remix for
  • A screaming painting by Francis Bacon
  • A character from a James Bond movie - played by Lotte Lenya
  • The inevitable drugs reference
  • The registration number of a car my father used to own


The new ones are alphanumeric, longish, in three languages, and...ah, erm...

...I haven't memorised them yet. Which is why they're on a post-it note stuck to the laptop.

4 comments:

  1. Three of the companies I worked for used worker's initials and badge numbers as log on, then the word 'password' for initial log on, good for five log ons and then you must change the password. The passwords become active for 90 days, then the system resets back to default 'password'. Needless to say, if I wanted to, I could've gotten into anyone's account and used their access to get into various files.

    You know, I actually know a few idiots who wrote their PIN numbers on their credit and cash cards!

    P.S. Was one of your old passwords Octopussy?

    How about The Spice Girls?

    ReplyDelete
  2. @Eroswings:

    A college I went to had all passwords default to "Secret" until you changed them - even if you never did.

    Thus the various students who failed to join their courses at the start had open and empty accounts, which came in useful when the rest of us ran out of space. Together with the various "demo" accounts which had been set up as a test and never deleted.

    Once, someone typed in "Engineer" as a both username and password - a common backdoor - and accidentally crashed the whole network for a day.

    -----

    I've known a few people who weren't noticably idiotic, who kept their PINs in their wallets.

    -----

    The old password was "Rosa Klebb" - the Russian psycho-lesbian in From Russia With Love. The one with the poisoned knives in her shoes.

    But I've never even been tempted to have anything to do with The Spice Girls.

    ReplyDelete
  3. All my personal accounts are variations of one basic password. It’s 11 keystrokes, a mix of letters, numerals and symbols.

    My password at work is “secretary” because I use the secretary’s computer. Not very secure, but then discussion questions for the Wednesday night Bible study are hardly top secret.

    I have never ever written down any password or PIN. I was, however, stupid enough to choose a Doctor Who related identity for my former blog when everyone knows I’m a huge fan. Oh well, lesson learned.

    Ah, you don’t like the Spice Girls? How do you feel about Girls Aloud then?

    ReplyDelete
  4. From now on I'll never be able to look at my keyboard without seeing Fred.

    I'm glad I don't know anyone I dislike by that name.

    ReplyDelete