Last Modified:                                                                                                

Homepage / Publications & Opinion /

Tips for tightening up password security
The present password regime is unfit for purpose so we should be adopting new measures...
Written on KL1515 flying from Amsterdam to Norwich and dispatched to from my home over aggregated ADSL circuits five days later.

All the best security guidance says we should change our passwords regularly and make them long and complex. Do any of us heed this advice? Do we heck.

I've just read a report that says 75 per cent of us use the same password for Facebook and email, and on average we only have three passwords each.

That finding prompted me to do a personal password count. I have five that I use regularly without having to look them up and another 10 or so that are managed by a home-built encryption system.

So, what is the precise nature of my passwords? Not telling. But let me say they are a combination of letters and numbers of varying length. They all make sense to me and are easy to remember but present a bit of a challenge to an outsider.

I also grade them from very simple to very complex depending on the assets I am trying to protect. On the wi-fi security front, for example, they span 'no password at all' through to 'a very simple and singular word'.

Do I feel safe and secure using my current system of passwords? No. Do you? I suspect not. Do I use the same password for several accounts? Yes. Do you? I'd put money on it. The reality is that the password regime alone is no longer fit for purpose.

We are all fallible, habitual and lax, and we need something more - something subliminal, automatic and far more secure.

I regularly find passwords on Post-it notes and whiteboards, and on so many occasions when I ask people what their password is they just tell me. And this is before I just sit and watch someone type a password in full public gaze.

It is astonishing what you can learn just by watching and listening in a coffee shop and asking in an office. This is the first line of attack for any smart hacker, followed by software that will decode a simple password in seconds or minutes.

It's astonishing how much security information you can learn by watching and listening in a coffee shop
Photo: Shutterstock

What should we be doing? Please don't suggest we use a dongle as adopted by many banks and companies. Those things are a menace, really inconvenient and less secure than you might think.

I would suggest the best alternative is to adopt a non-commercial protocol or regime. A monoculture where we all do the same thing, or select from a narrow range of commercial products, just plays into the hands of the enemy.

I would recommend going for something unique and obscure by way of process, with information that only you know - and not a combination of memorable dates, names and things.

Concatenate all this with some unique aspects or facts drawn from your life - numbers and letters from the first car you purchased or a sailing dinghy, for example. Even better, choose a non-obvious login identity.

Combinations of passwords

You can also use combinations of passwords, parse them and alternate the typing direction. None of these methods are perfect or beyond cracking but they are pretty strong, and best of all they allow you to create passwords that are simple and easy to remember.

Beyond these measures, fingerprint readers, facial recognition, voice recognisers and other biometric software can protect your machine, storage and network. Even more radical, 15 years ago I developed a system that recognised the rhythm of our typing.

This approach drew on my experiences using Morse code and the analysis of a walker's gait. All so simple, invisible and very hard to mimic. Such systems may now be available commercially.

Just search the net, see what you can find and remember that when it comes to security, obscure and weird is good. Choose and implement a unique combination of measures and take that extra step by encrypting anything you really value.

Ultimately, it is not just we as individuals who are on the back foot and alone here. It is also industry, including all the tech enterprises.

The truth is we are naturally inclined to be lax when it comes to security and we do make it so very easy for those determined to break in and do their evil work. It really is time to think anew.