P4s5w0rds

  • a string of characters that allows access to a computer, interface, or system.
  • a secret word or phrase that must be used to gain admission to a place.

A password is the most common way to prove your identity. The use of a strong password is essential to ensure your privacy and security. And yet so many of us use the same weak, guessable, easily crackable password for everything. Having to remember dozens of different, long passwords containing a random mix of characters, numbers and upper and lower case letters is difficult – impossible even. So we choose dictionary words often that have meaning for us – maybe the place where we were born, a pet’s name or our favourite football team - chelsea.

Then, either because the system says that we must use a capital letter and a number to make the password stronger, or because we think we are cunning, we substitute some letters for numerals – ‘a’ looks a bit like a 4, an ‘e’ like a 3 so we get Ch3lsea.

password lock Having established a password that we believe no one we know could guess, and is cunning enough to defeat any would-be hacker our system administration demands that we change our password every fortnight, or month or term. Because thinking up a password and remembering it is difficult we tend to recycle our password - Ch3lsea1, Ch3lsea2, Ch34lsea3…. Not a good idea and use the same password for everything an even worse one. If any of the above seems familiar, if it’s how you manage your passwords (some of must surely have more than one) or if you have never talked about password security with your pupils, please read on.

Easily guessable passwords Words, phrases and numbers that have meaning for us; the dog’s name, wedding anniversary, favourite football team are easy for us to remember but also easy for those who know us to guess. Your colleagues probably know your birthday (some schools help by displaying everyone’s birthday dates on the wall so no-one forget to buy them a card!) Your pupils probably know your children’s names and everyone you connect with on Facebook knows where you were born, which football team you support and your pet’s names.

Who could guess your password? Let’s now assume that your password isn’t your favourite football team and the hacker isn’t the mild-mannered year 6 teacher but a cyber-criminal.

How do hackers hack? Hackers use a number of techniques and pieces of software to hack passwords. You can find out details on the internet. There are essays, videos, hints and tips. But every hacking technique and piece of software utilise the vulnerabilities, the weaknesses that we as users provide when we choose our passwords. There is a list of the 10,000 most common passwords. It’s available online if you look hard enough. Every hacker has it. The most common password is… ‘password’. Other popular choices are; 123456 letmein, princess, qwerty and football. The most common 25 or 100 passwords are frequently quoted in news items about password security.

Check the list of the 500 most common passwords here: http://goo.gl/SVkrWD and make sure that yours isn’t on that list.

One strategy that hackers use is to run through the list of common passwords. If your password is on the list, it will become the hacker’s password in a matter of seconds. If you use a dictionary word as a password hackers will simply run through a dictionary of words trying each one of them to see if they work. If that fails, they will use a combination of dictionary words with numbers appending and prepending them, and replacing letters with numbers and special characters.

For instance, a dictionary attack would look for the word "chelsea", whereas a hybrid attack might look for "Ch3lse4". If those techniques fail, the hacker could use a brute force attack where all possibilities of letters, digits and special characters are attempted. The more processing power a hacker has, the quicker and more successful they will be. There’s even software that combines these techniques to ensure that the hack is as efficient and effective as possible. So what can we do to if not defeat at least slow down word by password hackers?

In the case of passwords, it is true to say that size matters. The longer the password, the longer it will take to crack. A longer password word is harder to crack than a shorter password with lots of special characters! Go for at least twelve characters if you can. The password chelsea would be instantly cracked, but chelseachelsea (or chelsea plus any other seven letter word) would take 51 years! Adding a random sprinkling of special characters or numbers rather than using obvious substitutes i.e. ch8lseachel89 and it will take 100 times longer to crack your password.

But to get a tough password take the advice of my friend’s five-year-old who was using a well-known cartoon site. The friend said that he hoped his daughter was using a strong password. She replied, “Yes it has to be at least four characters, so I used MickeyMinnieGoofyPluto.” Not quite what he expected but an excellent choice as it would take 45 quadrillion years for a computer to crack that one! In fact, security experts recommend that a good way to create a secure password that you will be able to remember is to choose four unrelated words maybe four items you keep on your dressing table – light, glasses, Kindle, watch. If I add a special character –say a question mark at the end and it will take a whopping 403 quadrillion years for a computer to crack.

Find out how secure your passwords are here: https://howsecureismypassword.net/ ; it is a great tool to use with children when discussing password security. In our next issue and on the blog www.blog.e2bn.org we’ll look at how to remember lots of these super strong passwords and why using your email account to reset passwords when you forget them might not be such a good idea.    

Latest from the Blog