Press Releases

Are you being sensible about your passwords?

Computer passwords are a way of life these days, and most of us have dozens of accounts, each with a different (or potentially different) password. There are costs in forgetting any of these passwords, ranging from the personal inconvenience of being unable to read useful news articles to the business problem of being unable to buy or sell products.

The most obvious solution to this hassle is simply to choose one password and to use it everywhere. Indeed, a survey conducted during April 2006 by Sophos reveals that 41% of respondents do just that. Additionally, 75% of the respondents to a separate part of the survey admitted to the use of weak, easy-to-guess passwords. Presumably this means that 31% of users (75% of 41%) have no accounts at all with satisfactory passwords.

Clearly, this is bad news. But is it safe to be a monopasswordist at all? Even if you pick a long, randomized, unguessable pass-phrase, commit it to memory and then eat the paper you wrote it down on? Can you rely on the theory that if a password is good enough for your company's most secure network, then it is obviously more than adequate for the website of the local football league?

The answer is that you most certainly cannot. Different account providers implement their password protection for a range of reasons, using a range of technologies. The very act of using a password renders it liable to being compromised - and this compromise may happen because of the account provider's behavior, not just your own.

If you have only a single password, then none of your accounts are more secure that the one which treats your password with the least confidentiality. You need to divide your accounts into different categories, based on the security you require and the password confidentiality which the account offers.

Types of account

We consider three types of account:

A casual password, for example for a registration-only website, is usually considered the least important. If you forget it, then with many websites you can simply re-register and get back on line within minutes. Indeed, you may even forget that you ever registered, and re-register entirely by mistake. It gives some indication of the purpose for which the site operator is using the password if anyone can get one at will.

A corporate password is much more important. If you are not the owner of the business, then it may feel less important that those passwords which protect your personal life. But someone who knows your company logon can impersonate you - often remotely, using a dial-in, ADSL or wireless connection to access the company's systems. If they send an ill-tempered email to your manager, a copy of the customer database to your webmail account, and a letter of resignation to the board, who just stormed off the job under dubious circumstances? You, or the unknown hacker?

This brings us to the personal password. To most people, this is the most important sort of all. Your income, your mortgage, even your good character, may be at risk if someone else accesses one of the accounts by which you operate the financial aspects of your life.

The password dilemma

Passwords which you have to type in from memory present the dilemma we discussed at the outset. If they are too hard to remember, or too hard to type in, then they may be useless at the critical moment. But if they are really easy to remember then they may be easy for someone to guess. This means you need to be wise in how your passwords are chosen.

Unfortunately, even passwords which are complex and effectively impossible to guess may be useless for security. You may be unable to remember them (and who can quickly memorise 1d88-965b-9827-13a9-e0ca-2b5c-b305-c959?), leading you to write them down, making them insecure. Or you may use them on a system in which the passwords themselves are not handled securely, allowing them to be mechanically and automatically recovered. This means you need to be aware of the password technology used by all of your account providers.

Choosing passwords

Writing down your passwords is not an option, unless you can keep them secure after doing so. You could keep the written versions in a decent safe (and many companies do just that for emergencies), but this does not satisfy your need to keep them handy.

Choosing the same password for all your accounts makes it easy to remember all your passwords without recourse to paper, but this is extremely dangerous because your password is then only as strong as the weakest account. For example, many websites require you to use passwords, but validate them using protocols which leave the actual passwords open to eavesdroppers and crackers. You should assume that any password used on this sort of account is already compromised. Do not use it, or any similar or related password, for any accounts where security is important.

Choosing easily-remembered passwords is another way to simplify your job. But for accounts which you wish to keep secure, this is a bad idea because passwords which are easy to remember are often easy to guess, or to work out with little effort. Trying ten thousand million likely passwords is beyond the scope of human manual endeavour, although a modern PC may be able to do the job in a few minutes.

The Diceware project

An interesting project, at www.diceware.com, helps you to choose decent passwords without using a computer or any other expensive technology. It uses dice as secure random number generators and standardized code lists to convert the strings of digits produced by the dice into easy-to-remember word combinations. Apart from being a refreshingly low-tech solution, it sums up the requirements of a self-chosen secure password very handily as follows:

However, for casual accounts for which your passwords are intrinsically insecure, such as non-HTTPS web servers which use accounts for registration and tracking, not for proper identification and security, complex passwords can be considered unnecessary.

Simplifying your casual passwords

If you know that a site is using casual (and fundamentally insecure) HTTP authentication, you can consider using a casual password derived directly from the name of the site, such as news4example7com3 for the site news.example.com (using the domain name with the length of each component instead of a dot). Just be certain to use this technique for casual passwords only.

Do take great care never to enter one of your corporate or personal passwords by mistake when connecting to a casual account. This would compromise one of your secure passwords - and the fact that the password was incorrect simply confirms to a hacker that the password probably fits somewhere else, especially if it is obviously different from the password you subsequently use for the casual login.

Further password advice

For additional security, you (or your company, or your bank) can use a one-time password system which provides you with a different code which you need to provide - usually in addition to your password - every time you login. This makes your password useless on its own for any future logins. Additionally, if you have a token-based system and you can see your own token, for example on your keyring, then you know it is extremely unlikely that anyone else could be logging in as you at that moment. You rarely get this assurance from a traditional password.

Beware of software which offers to remember passwords for you so you only need to type them in once. Unless you are certain that it keeps your list of passwords secure (and you may not be able to rely on the vendor to tell you), and unless that security is based on a strong "password of passwords" which you need to enter at least once in every session, then avoid such features.

Lastly, remember that anything you type, click or view on a PC you suspect (or later find out) to be infected with malware should be considered lost to the criminal community. This includes any passwords you have entered during the session, even if those passwords were transmitted securely and not echoed to the screen.

Rise above the survey

Don't be like 75% of the 41% of people in our survey -- universally protected by a single, crackable password. The simple precautions described here will help to lift you well above that careless 31%.

About the author

Paul Ducklin joined Sophos from the South African Council for Scientific and Industrial Research in 1995.

He has held a variety of roles within Sophos, including heading up Sophos's global technical support operations, before becoming Head of Technology, Asia Pacific.

One of the world's leading virus experts, Paul has given papers and presentations at various industry events including Virus Bulletin, ICSA and AVAR conferences. He has also written several articles on the virus threat and is a respected industry spokesperson.