October 23, 2018

When Password Protection Doesn’t Mean Safe

hacking

By Nina Mulamba

Before you create a website, the site always demands that you have a mixture of upper and lower case letters, numbers and symbols. A GCHQ (Government Communications Head Quarters) report suggested complex passwords may actually be unreliable, because people often write them down or reuse the same one on many websites.

“Talking about a good password suggests that choosing a long or complex password offers better protection. That is not necessarily the case,” said Dr. Steven Murdoch from the Department of Computer Science at University College of London.

“Secure systems should not just rely on a single password, but have additional technical controls which the system owner can use to detect abnormal behavior and protect the user’s account.”

Using symbols and punctuation is also a nuisance for people using mobile devices and by the end of the day one goes to Google and searches, “How to choose a strong password” but Google doesn’t always have all the answers.

“Complex passwords are hard to type on touchscreens, since you have to toggle between keyboards,” said Dr. Angela Sasse, UCL’s head of information security research.

When it comes to strength and length, some security experts have recommended the adoption of “passphrases”, such as “Iown50%ofSClub7albums”. These are simple to remember.

“A longer password is preferable overall, but that has its own problems,” Dr. Sasse told the BBC. “More than 50% of passwords are now entered on touchscreen devices, and longer passphrases create a significant burden on touchscreen users.

Should you change your password every day?
Some companies like banks change their password every week or after some days to avoid attacks. However, the GCHQ report suggests that this leads people to choose incremental passwords and reuse the same password on a number of sites.

The report provided that enforcing regular changes imposes burdens on the user and carries no real benefits as stolen passwords are generally exploited immediately. Regular password changing harms rather than improves security.

Some institutions use a dedicated app or website to store all their passwords, so they can easily retrieve one if they forget it. However, those password managers also make huge mistakes.

“This app offers extra protection by storing memory cues about the password, rather than the password itself. It can help to reconstruct passwords you rarely use, but research has shown that even when people remember something such as the name of their school, they can’t reproduce the name exactly as they used it in their password,” said Dr. Sasse

In addition to entering your password, you also enter a single-use code which is sent to your mobile phone. Social networks like Facebook, Twitter and Google offer the feature for free.

“Never re-use important passwords like for online banking on other websites. Not all websites protect their passwords properly, or your password may be captured by malware. Use unique passwords with a password manager to keep track of them.” Dr. Sasse adds.

Related posts