David Emm is a Senior Security Researcher at Kaspersky Lab. Today we’re gonna be talking about password security, and David’s here with some great advice on how to keep secure your passwords to the websites and applications that you use and avoid getting hacked or losing control of your account.
– So, David, tell me what are some of the common password mistakes that people make, things that they do wrong when managing their passwords?
– One of the temptations is that, the more online passwords we need, we recycle them, so I have David1, David2, David3, David4 and so on. Or many people just use the same password for every online account – that too is probably one of the biggest dangers.
– Thanks for giving us all your passwords. So, people have a lot of websites and applications that they are trying to manage access to. It’s easy to get confused, so instead of doing David1, 2, 3, 4 – what should they do?
– Well, first of all people need to realize that actually passwords are the key to your online identity. So the last thing you wanna do is have the same key to every sort of piece of treasure you’ve got on the Internet. So what people really need to do is to think of ways in which they can come up with passwords that are unique to each online account – Facebook, the bank, Amazon, eBay and whatever it is they’re logging in to. Have a unique password. ‘Cause it sounds a lot easier than it actually is. You know, the danger that security professionals like us will say to people: “Use password sensibly, be careful”. But it really needs a bit more advice about how do people be careful online with passwords.
– Okay, and “unique” – you don’t mean just pick a word that no one’s ever used before, because that probably isn’t gonna work. What do you mean by “unique”?
– Well, first of all go for something that’s not in the dictionary. There are things out there which hackers use, called “dictionary attacks”. And these are programs which will cycle through dictionaries looking for normal words that can be found in any dictionary, and they will try and use those speculatively to get into your account. So first of all, don’t use real words. I guess the second piece of advice I would give is try not to use something that is obviously associated with you. So it might be, for example, that in a social network you are disclosing some information about who you are, what your interests and hobbies are. Try not to use something that’s obviously associated with you that somebody could find out about you from some obvious online channel.
– Your partner’s name or your children’s names?
– Exactly. Or, you know, something to do with one of your hobbies or something to do with your pets. Absolutely. So pick something that is not obvious in the dictionary, something that’s not disclosed in some obvious way online about you. And I guess the third thing I would say is mix it up a little. Don’t just go for letters. Go for letters and numbers. Don’t just go for letters and numbers, go for some non-alphanumeric character like semicolon or a full stop or, you know, an exclamation mark – something like that. And mix the three up, jumble it up.
– Okay, so if you’re mixing up and jumbling up words, how do you remember them without writing them down?
– That is real difficult. I mean it may be that people have twenty, thirty, even forty online accounts. And clearly, you’re not going to be able to easily remember forty passwords. So, well, a great tip really is to come up with some formula for creating the password in the first place. And then you sort of reverse engineer that formula every time you need to put it into the system. I’ll give you an example of what I mean. If I’m looking in to Amazon, maybe I could start with Amazon as the beginning of my formula. And I have a sort of four-step process which says, okay, take the first character (in this case an ‘A’) and move it to the end. The second step may be – put a full stop after the third character. The third step may be – capitalize the fifth character. And the forth step then says – well, take another of the characters and move its position in that string. So what you end up with, from the starting point of Amazon (the resource you’re logging in to) – you’ve scrambled it using an easy-to-remember four-step formula. And that four-step formula works if you then go to eBay, or if you then go to your bank or Facebook or anywhere else.
– Okay, so the name of the site then is the key to the passwords, and then you’re just using the same formula to scramble it?
– Exactly. And there are alternatives. I mean, another alternative is to actually have a pass phrase. You know, it may be that your starting point is something like “The quick brown fox jumps over the lazy dog”, which was the old phrase typed in by the old-fashioned typists, ‘cause it exercises every key on the keyboard. So, with that as your key phrase, you’re gonna remember your favourite pass phrase. And then, your four-step formula messes with that pass phrase. And so you end up there with a unique way of scrambling up that password.
– I know also that sometimes people have strong passwords but they can lose access to their account or have that account taken over by a hacker through other means, one of which is those question-and-answer features that websites use if you forget your password. Those could be a tool that hackers use to take control of the account. Can you talk about how that would work?
– Yeah, I mean it can be, I mean the danger. People that are designing passwords on sites know that people can forget them. So there’s normally some sort of challenge question: where you were born, who your first teacher was – that kind of thing. And that would be the challenge for resetting a password, and of course the danger is that some third party (somebody you don’t know, a stranger or potential attacker) could apply to reset the password in your name. On the upside of course, you are gonna be notified about that because you’ve pre-identified an Email address to get notified about that. So if anything like that happens, if you get notified by the vendor or the social network manager or whoever it is, that “Thank you for updating your password”, you think “Look, I didn’t do that” – that’s a warning right there.
– And then, for those challenge-and-response questions, pick things that somebody couldn’t figure out about you just by looking at your LinkedIn or Facebook account?
– Exactly. I always take the time on those things to choose the other option where I get to set what the challenge question will be rather than one of the standard ones that they provide.
– Okay, good advice. Password managers – there are all kinds. Kaspersky Lab has one with its antivirus software – Kaspersky Password Manager. There are free versions of it, there are online password managers. What’s your thought on those?
– Anything, really, that helps people deviate from the obvious thing (the same password or an easily recycled password) has got to be a good thing. So, they’re a good idea and, you know, if you look at the overall picture here – what we are trying to do as individuals is minimize the risk we take when we go online. Just make it harder, raise the bar. Just like at home, you install a burglar alarm which minimizes the chance that you get burgled – well, what we’re looking to do with passwords is to minimize the risk we’ve got to take. If some application would produce unique password for you and store that information, so it’s good because then you get to use hard-to-guess passwords.
– Okay, writing passwords down – we are often warned against that. Is that, you think, not necessarily always a bad thing?
– Yeah, I do. I think if you look in the enterprise, in the business world, there’s always the risk that somebody else who is visiting the company might look over your shoulder at a password written down on a posted note. So that’s not a good idea. But let’s face it as individuals working from home. The chances are they serve a criminal, also having physical access to look at a posted note or a notepad. It’s highly likely. So actually it’s not bad advice but you gotta watch out a little bit because it may be that, you know, you don’t want your teenage children to know what your account, your bank account password is. So you gotta be a little bit careful with that.
– Keep it in a secure place?
– Sure.
– David, thank you so much for talking with us about password security. Thanks for joining us.