Of Passwords and PINS (3)

8 02 2013

In the final part of this series I’ll look at PINs and what you can do to make them easier to remember.

PIN numbers, generally 4 digits, and used to validate debit and credit cards, lock your i-phone, access buildings, secure safes and all manner of  other things have become one of those things we all have to remember. The 4 digit card PIN only offers 10,000 possible combinations, so it’s not really that secure, which is why so many systems operate the ‘3-strikes and you’re out’ control. But why only 4 digits? For the answer you have to ask John Shepherd-Barron the inventor of the ATM. It seems that Mr Shepherd-Barron favoured using 6 digits, but his wife preferred 4!

In the same way as there are commonly used passwords (see the previous post for more details), there are some PINs which appear on an all too frequent basis. A recent analysis by Data Genetics revealed how unimaginative people are.  Over 10% of the PIN codes analysed were 1234, and 6% were 1111. The least common PIN was 8068, but probably best not to use that now as the bad guys can also read the reports.

Maybe you need a different approach. In the same way as you can have a memorable password, why not have memorable PINs? No! Not your birthday, or your partners birthday, or your house number, too many people already know them. But why not use the letters A through J to reflect the numbers 1 to 0, and create a combination that is meaningful to you? First four words of a favourite tune, initials of four family members, first four letters of you home town.

Most organisations which require you to have a PIN allow you to change them, usually on-line or at the ATM, so that’s not much of a chore, BUT, don’t change them all to the same value. Like passwords, it makes sense to have a variety of PINs, and to he honest you’re unlikely to have as many PINs as you have passwords (unless you collect credit cards as a hobby).

The standard instruction (as with passwords) is not to write them down, but again, as with passwords, there are variations on a theme. Clearly no-one would write in their diary: Barclaycard 1234; Amex 3456; M&S 4567 would they (pause whilst some readers tear page out of diary), but it is possible to be more discreet and still record those which you use less often in the same way as you can record passwords.

The frequently used ones you will remember because you use them everyday, especially if you have made the memorable in the first place.

Anyway, that’s enough on Passwords and PINs, next time I’m going to start on Social Engineering and how the bad guys WILL obtain those carefully protected pieces of information you have created.

Until then, keep safe and keep aware

David

Advertisements




Of Passwords and PINS (2)

6 10 2012

In the last posting I briefly referred to ‘strong’ passwords and said I’d come back to them a bit later on. So, what is a ‘strong’ password? As I said last time, the holy grail of password creation is to have something which is easy to remember AND hard to guess. Individually these are simple to achieve, putting them together is a much harder task.
Before getting into the mechanics of password creation, let’s take a couple of seconds thinking about how the ‘bad guys’, (and gals), will try and misuse them. At the most basic, they sit at a computer, enter your account name and then just try and guess your password by hitting characters on the keyboard. If the system allows infinite attempts then they can continue until they get bored or strike lucky. The more sophisticated attacks will use technology, i.e. software, which will perform the same activity but automatically. So called ‘dictionary’ attacks, do just that. The software has millions of words in their database and they just trawl through them until they get a match or run out of words. The more sophisticated also include character replacement checks as well (more on that in a moment) which provides millions of additional permutations. The final way is to obtain the password file from the system itself which is hopefully encrypted. If it’s not then it doesn’t matter how good your password is, they’ve got it! If it is, then the complexity you use will make it that much harder for ‘them’ to decode it.

So lets look at our two objectives separately to see how we can solve the problem.
Picking something really obvious would be daft of course and no-one would do that would they? Think again, surveys of the most common passwords are produced every other week such as this report in the Daily Mail, with ‘Password’ and ‘123456’ always being in the top 10, (quick pause here whilst you go off and change yours?).
It is generally easier to remember something which is personal to you rather than a completely abstract item, but make it too personal (pet’s name, your birthday, mother’s maiden name(!)) and far too many other people will already know it. Quick aside here, just because you are are asked to provide your mother’s maiden name at registration does not mean you actually have to provide the exact name. It’s a security control, not a test. Just make sure you remember what you tell them!
But there are things which are personal to you that you can use as long you mix it up a bit. Favourite places, favourite songs, recent events are all good sources for passwords, you can have those little triggers in the back of your mind to help you remember them BUT, as I’ve already said you need to mix it up a bit, which is where we apply the ‘hard to guess’ angle.
Let’s start with the basics. Say you wanted to use the name of a city where you had a great weekend, such as Norwich. It’s quite hard to guess, unless people knew you liked it, seven characters long so it’s not bad from that perspective, but it’s in every dictionary so would be a soft target from that angle. Simple character replacement and changing the case of the letters will immediately make it even harder to guess (e.g. N0rw1cH), and placing the first and last characters in the middle will defeat any dictionary attack however sophisticated (e.g. 0rwNH1c), simples (as the Meerkat says). But the root (Norwich) is still a valid word and potentially guessable, so another approach is to use a phrase as the root. Pick the first 8 words from a song and use the first letter from each word (e.g. gsogqllo – “God save our gracious queen…”), mix up the cases and do a bit of character replacement (G50gQll0), and bob is your mother’s brother as they say. You can try the same thing with first words from a favourite book, or just a favourite saying. Easy to remember and had to guess, just don’t hum the tune as you type it in!
Now for the really clever bit. Best practice says, have a different password for each account, common sense says you’re never going to remember all of those passwords. So how can you get the best of both worlds? If you take your common password, say G50gQ110, and then add two letters to signify the application you are using it for, e.g. FB for Facebook, HM for Hotmail, NW for your Nat West bank account etc., you have something you will always remember and something that will be extremely hard to guess.
So there you have it, strong passwords with minimal effort.

Till next time

d4v1D








%d bloggers like this: