Bad Security Advice Can Be Catastrophic
UPDATE 2020: In this article I mention that many websites have self-service password reset functionality which will send you an SMS. #Gabriel Friedlander notes in a recent post that as hacking techniques develop over time even SMS codes can be subverted. SMS codes are still secure but by using social engineering they can be worked around.
UPDATE 2014: Following the publication of this post in early October the ABC IT security people significantly rewrote the article mentioned below to now offer some reasonably sound advice about obfuscating your password and some other tips. It appears the original article was generated by an unrelated (but presumably trusted) content provider and was passed to publication without review by the appropriately qualified people.
The Australian ABC Active Memory website published an article recently that contained what they referred to as "Tips for remembering your password" (ABC): In reality the tips in the article are astoundingly bad security advice!
I actually had to read the article a couple of times to try to figure out if it was a joke. Far from providing readers with techniques to improve their memory and subsequently remember their passwords they actually recommend to readers that they create weak passwords - and then write them down! There isn't a security agency in existence (outside of the ABC, of course) that would make these recommendations!
Following this advice pays lip service to security and leaves you in a worse situation because you have a false sense of security. Following this advice is analogous to building the water tight compartments on the Titanic (bulk heads on the Titanic did not go all the way up through all the levels of the ship so when the forward compartments flooded they pulled the bow down and the water simply spilled over the top into the next water-tight compartment, repeat (National Geographic))!
The Titanic: is your security like this?
The article gives four very bad pieces of advice:
Bad Advice 1. Try to create a password that has some meaning to you, so you are less likely to forget it; and
Bad Advice 2. Using a formula will make your password easier to recall. You could combine your favourite colour or flower plus the year you were born, for example "Orange1965" or "Jasmine1965".
Don't do this because knowing something about you is one technique hackers use to gain access to your password. To crack your account I first learn your login id and then start using combinations of information I know that has meaning to you – for example combinations of your birthday and your children’s names. Not all sites have effective intrusion detection systems that lock accounts after a certain number of incorrect attempts. I could be attempting to log onto a site that lets me keep banging away with passwords until I get the right combination of the right information.
Bad Advice 3. Avoid having multiple passwords for different accounts.
It is critical that you do use different passwords for different accounts: one for work, one for your bank, one for your insurance, one for facebook etc. If you don’t keep them separate then by discovering the password for your least secure online presence (that website you signed up to years ago that doesn't patch it’s servers and doesn't have good intrusion detection) I have discovered the password for all your other accounts including, probably, your bank account.
- DO seriously consider using complex and random passwords
- DO have different passwords for each online presence you have
- DO NOT write your passwords down
More and more sites are implementing very easy to use password self-service reset functionality where you click a link and have a system-generated password emailed to you or even better - sent to you as an SMS. This means you can set a secure password on your email account (very long, very complex, very not written down - perhaps a pass-phrase rather than a password) and reset your other account's passwords each time you log on. You never have to remember them and have essentially set up two-factor authentication.
What are your tips for good password maintenance?
References:
ABC, 2014, Tips for remembering passwords, https://activememory.com/blog/2014/tips-for-remembering-passwords, retrieved 1 October 2014
National Geographic, 2014, Sinking of the Titanic, https://education.nationalgeographic.com.au/education/media/sinking-of-the-titanic, retrieved 1 October 2014
Titanic Picture, Ultimate Titanic, https://www.ultimatetitanic.com/the-sinking, retrieved 1 October 2014
Solutions Architect at RACQ
10 年Looks like the have removed it: "This article has been temporarily removed as the original article contained advice that did not meet best practice standards. To protect your online security, we are currently reviewing the content and will republish the article shortly. We apologise for any inconvenience. " My password tip is to mash the keyboard to generate a random sequence and then memorise it the old fashioned way. If you use it often enough you will remember it, and if you forget there is always the password reset option.