Site icon Sophos News

How good will your passwords be this Black Friday?

Black Friday is coming up on 27 November 2015, and with it the start of the busiest part of the retail season in the US.

Indeed, the name is said to come from the fact that on the Friday after US Thanksgiving (the fourth Thursday in November), retailers do so much trade that they get “into the black,” covering their costs for the year to date.

In theory, then, that leaves the rest of the holiday season, heading towards Christmas, to pile on the profit.

What that means is a lot of people shopping, both at the mall and on the net.

To extend the fun beyond the Thanksgiving holiday, there’s also Cyber Monday, which is your online chance to snap up the bargains you missed over the weekend.

And lots of people shopping online means lots of passwords being entered on e-commerce sites, lots of forgotten passwords being reset, and lots of new accounts being created…

…often in a bit of a hurry.

WHAT IF YOU CUT CORNERS?

So, what happens if you cut corners, or are just feeling uninventive, and enter a short or easily-guessed password by mistake?

How hard will the average website try when it comes to protecting you from yourself?

For example, if you accidentally just press [Enter] and choose a blank password by mistake, will the website allow it?

Almost certainly not.

But what if you do the next worst thing and choose a very obvious password, such as 12345678 or baseball, or a very short one, like XYZZY?

It’s easy enough for a website to warn you if you make a truly awful choice, but a retail season survey by password manager company Dashlane suggests that even that doesn’t always happen.

The company claims that 56% of e-commerce sites it surveyed “allow users to have a password less than eight characters long.”

And 32% allowed users to choose passwords from a super-obvious list of ten passwords that come right at the top of any password cracker’s list:

password
123456
12345678
abc123
qwerty
monkey
letmein
dragon
111111
baseball

Dashlane also claims to have tested how many times a website will let you guess incorrectly before taking some sort of action to shut down or limit the speed of further guessing.

Apparently, 36% of e-commerce sites “allowed 10 or more repeated logins without any secure measures being deployed.”

This just reinforces (or re-reinforces, or perhaps re-re-reinforces) the importance of learning how to Pick Proper Passwords.

After all, even if a website stops you making gratuitously bad choices, it may nevertheless let you get away with mediocre or average passwords.

Indeed, many websites (and some companies) try to define randomness, for example by having rules such as “you can’t have a password without a punctuation mark,” even if you chose aYTLZM5kp20vt9KO.

Ironically, that string is an encoding of about 95 bits’ worth of data straight from my Mac’s high-quality random number generator, making it a 1-in-10,000 million million million million choice.

Artificial complexity means that PassWord99! might pass muster, and be considered strong enough, even though a password cracking algorithm would try it long before it got to aYTLZM5kp20vt9KO, or even to the less orderly WordP9!9ass.

Other websites or services won’t let you have more than, say, 16 characters (Microsoft Outlook.com and Google Android both do this), so you can’t use a long phrase like algorithms get you only so far and then it's up to intelligence, even if that’s what you want.

FIGHT YOUR OWN PASSWORD BATTLES

In short, if a website tells you your password is weak, it probably is; but when it comes to creating passwords that are strong, you need to fight your own battles.

Keep our advice in mind:

1. Make your passwords hard to guess.

Avoid using details that are easy for other people to figure out, such as birthdays, nicknames, the names of your pets, songs or bands you like, and so on.

And don’t rely on trivial alterations, such as writing your dog’s name as r0ver or rover99, because password guessing programs try modifications of that sort early on.

2. Go as long and complex as you can.

If you add one letter (from A-Z) to a 10-character password, you make it just 10% longer to type and remember, but 26 times (that’s 2600%) harder to guess.

Choose an extra letter from A-Za-z and you make it 52 times, or 5200%, harder to guess.

You can also hinder password guessing programs by switching between lOWer and UppERCase letters, adding in d29igits and mixing in punc/;tua#tion characters.

But as we mentioned above, watch out for “predictable complexity” such as always and uninventively appending a question mark to comply with “must have punctuation” rules, or switching l3tt3r5 1nt0 d1g1t5 using only simple substitutions.

Some people prefer to pick multiple, unrelated words, like the famous XKCD password correcthorsebatterystaple, finding very long passphrases easier to remember and even to type.

But not all websites and services allow long phrases like this, and many insist that you mIX 1n o//ther characters anyway, regardless of your passphrase length.

3. Consider using a password manager.

Password managers can generate long and complex passwords on demand.

They can also automatically type them in for you at the right time, and can stop you from putting the password for site X into imposter site Y by mistake.

Password managers can also help you comply with the common rules that many websites impose, such as mixing in different types of character unpredictably. (A password manager can remember co*;m+@9-9$pli\cated as easily as it can remember c0mplic4ted!)

Just make sure you have a really strong password for the password manager itself, or else a crook could get hold of all your passwords at once.

4. One account, one password.

Use a unique password for each account: crooks who acquire one of your passwords will almost always try that password on all the other online services you use, just in case it lets them in.

Avoid using an obvious pattern, such as a common string of characters followed by, say, -FA for Facebook, -TW for Twitter, and so on.

If you can’t think up and remember unique passwords easily, use a password manager to do the hard work for you.

Don’t be the low-hanging password fruit this retail season.

To help you be more secure, now and into next year, here is a short and straight-talking video that goes through the points above:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And once you’ve watched our tutorial video, here’s a short but funny video you can show to your IT guys if they have password “complexity rules” that really are just too darn’ hard:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

🙂 Enjoyed this one? Watch more Dave Malarky videos!

Exit mobile version