A new survey shows that there’s a major gap between Americans’ online security perceptions, and their actual practices. In a poll conducted by the National Cyber Security Alliance, the majority of those surveyed said they share passwords across their accounts and about half of users never change their pins and passwords unless they’re forced to.
In yet another poll by security company Confident Technologies, more than half of respondents reported never using a password or PIN to lock their smart phone or tablet.
Bad move. One tactic cyber-criminals take is to steal PINs or passwords from places or websites where there’s very little security, and then try them out in more secure environments, such as banking websites. Using the same username and password on multiple websites is not unlike handing a thief a master skeleton key to your life, which opens every door — if hackers grab your password from one place, no doubt they’ll use it to crack in to anything that’ll open.
High level criminals have technology to help: intruders install keyboard sniffers that help them gather information like your most common keyboard strokes; they can also conduct dictionary attacks against a host’s password database, which allows them to try out tens of thousands of potential passwords per second – this is why English words, and simple variants of those words (alone), do not make safe passwords.
Your cell phone — just a tiny computer – is no less vulnerable. Experts say losing an unlocked phone can actually be worse than losing a wallet, and that’s because of the sensitive information our cell phones contain. Emails alone can reveal a wealth of information about you, including where you bank, where you live, the names of your family members, and more. According to the same survey by Confident Technologies, even though only 10% of workers have a corporate-issued device, 65% of users receive corporate data on their phone, where competitive information like salaries and system passwords are readily available. Even worse – links in emails or the apps on your phone can connect a thief directly into your accounts with one click, be it into a website, Facebook or a even a corporate portal.
Most vulnerable of all, your ATM password is a needle that plunges directly into your financial vein – in mere seconds a thief can drain your accounts to zero. So just how easy is it for someone to correctly guess your PIN? A lot easier than you think, says data scientist Nick Berry, founder of Data Genetics, a Seattle technology consultancy. An average thief, guessing randomly, only has a 1 in 10,000 chance of guessing an ATM PIN…. but for an intelligent criminal, who realizes that a high proportion of PINs are birthdates — specifically those after 1950– those odds go WAY up. That’s right: despite warnings from banks, a shockingly high percentage of PINs –close to 20 percent–are extremely simple combinations. The most popular? “1234″ with an 11 percent frequency, followed by “1111,” and “0000.” This means that if a thief picks up your ATM card off the street, he or she has a 1 in 5 chance of unlocking it by experimenting with just five different PINs.
A good, common sense guideline for selecting PINs is to avoid numbers or words that appears in your wallet (such as name, birth date, or phone number), or any number which can be found out – the last four digits of your social security number, for example. And for online passwords, standard recommendations are to choose one that’s at least 8 characters long, and that includes both letters and numbers and more commonly now, a special character or punctuation. It’s also a good idea to change your PINs and passwords every six months. But the best strategy is to ensure your passwords and PINs are fortresses to begin with – by adding length, complexity, and that certain ”je ne sais quoi”.
To ensure your PINs and passwords are hard to crack, or to spin your existing passwords into something much safter, try the following:
Create it From a Word
Think of the numbers and letters on your telephone. Then think about how you “dial-by-name” in a company’s phone system. If you use a word for your PIN number, it will be easier to remember.
Use Numbers Only You Know
Instead of including part of your address or any number easily found on your license, use part of an expired childhood phone number or a number you call all the time but isn’t guessable, like your local pizza delivery joint.
Use Favorite Holidays
If you’re looking for a four digit PIN number such as a date, use your favorite holiday instead of a birth date, or a momentous occasion in your life that isn’t tied to anything on the “record” like your children’s birthdates, your anniversary or your even you parent’s anniversary. (Instead try the day you retired, the day you broke a 7-minute mile, etc).
By far, the most powerful and secure online passwords are those that use a lot of characters (in fact, you should use as many characters as the portal allows– the more characters you add, the safter your password is), so much so that many experts say: dump the coded mumbo-jumbo, and simply use a sentence, phrase, or a few random words strung together in a memorable way. Phrases, though they include English dictionary words, include so many letters that even computers have a hard time breaking the code (and they’re also the easiest to remember, which makes them a win-win!). For a surprisingly succinct explanation of why this is true, see this XKCD comic, or for a more journalistic version, see CNN. Try a long phrase with or without spaces, normal capitalization, and of course numbers and punctuation as the website requires.
Build on a Base
Another personal favorite, this tactic allows you to create passwords (and remember them) on the fly. You don’t have to keep track of 100 passwords if you have one rule set for generating them.
One way to create unique sequences is to choose a base password, and then apply a rule around it that includes some coded form of the vendor. Try, for example, the first letter of a phrase or song refrain. If you wanted to use the famous Whitney Houston song “I Will Always Love You,” your base password might be “IWALY.” Recalling the password is just a matter of singing yourself the song.
To add specificity, choose a consistent way to make the site’s name an acronym or a description, separated by a number that’s meaningful to you. For added security, and a precaution adopted by more and more secure websites these days, you can wrap your base password and vendor code with a special character as well. For example, your password to Facebook might be: #IWALY10FA#.
Create Your Own Language
Another way to generate unique passwords is to create your own “language” — that you yourself make up — and then write new passwords in that code. “S” becomes “$” for example, or a backwards “E” looks a lot like “3”. Just a few simple character swaps outs, or even misspelling a word on purpose – can throw a thief off.
Use a Password Checker
Still not sure if your password is safe? Use a password checker that evaluates your password’s strength automatically. Try Microsoft’s secure password checker.
Safely choosing and keeping track of passwords and PINs is a modern-day inconvenience that many of us wish we didn’t have to deal with. But with a few simple improvements to your online and mobile security, you can stay one step ahead of the hacker-pack.
Photo Courtesy of Flicker/redspotted/272104/