safe computing – email

What is computer security?  Techniques for ensuring that computer data is not accessed by unauthorized individuals. This might involve passwords, encryption or physical seclusion.

Virtually every other week there is a story in the news about some web site which was hacked and hundred of thousands of user/password combinations taken.  When these incidents are announced there are only two things that might be considered important.

The main concern should be whether any real user data such as name, address, banking details or other personal non-public data escapes.  The secondary concern is that now someone knows your username  and password.  This shouldn’t be a problem as after all, everyone uses a different username and password at each website – right?   Well, no and that is part of the problem.

It was a stroke of genius to use email addresses as the user id for all of these sites because email addresses are a unique piece of information.  You don’t have to worry that there will be two, between the email name and the domain they form a unique id.

Why millions of passwords on the loose is a problem is because once people find a good password a lot of them simply use it again and again at every site they go to.  This means when your password is compromised at, they know your user name and password that you might be using at Facebook, Gmail or some other site.  There are apparently people who like the challenge or the rewards of hacking other people’s accounts.

To feed on rational fears it can be even worse than that.  The “bad men” don’t even need your password to compromise your account as knowing your email address may be enough.  Given a free choice, people are pretty bad at picking secure passwords.

This is a list of some of the most common passwords from 2014.

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey

It is quite likely with this list of passwords, a hundred email addresses and a handful of websites you will fine one or more that will let you in.  At work, well especially at large companies, they tend to espouse a number of rules designed to create difficult to guess passwords.

1. minimum of 8 characters
2. must include one upper case letter, one lower case letter, one digit and one symbol
3. must be different than the the last 12 passwords
4. cannot include the name of the account
5. cannot include the users name
6. does not include a complete word
7. doesn't include name of family or extended family
8. must include the sound you hear when stepping on a bug*
9. must be impossible to represent the password with any keys on a keyboard*
*included to see if you read the entire list.

The IT department want things to be really really secure so if you are unlucky you will have a different password for every internal system that you use and it will seem that they change every three weeks.

It is almost impossible to have a few dozen passwords that change on this type of schedule without writing them down somewhere.   Yet there is obviously a good way and a bad way to do that.

monitor-with-password2Your password on a sticky note on your screen or the corner of the desk are about as bad as it gets.  I have heard of people storing their passwords in text files, word documents, or in excel spreadsheets.  This is a slight step up from the password boldly written across the screen but not as good as something a bit more secure.  This could be either password protected word or excel document.  Not a great choice but should keep your secrets for the casual snooper.

Yet, there is a dedicated program, a password manager, which is designed for the task of tracking this type account information.  Depending on the program it may use either 128bit or 256 bit encryption keys.  This is much better than the more limited 40 bit key limitation for encryption that existed for so long in the USA.  While it would take millions of years to break 256bit keys the much shorter 56bit key has been broken in only four months and that was in 1998 with a 90mhz Pentium.

Yet even the password manager can be a vector for weakness to the security of your password information.  What makes these tools convenient is that they store your user and password information and it to make it convenient the password can be copied to the clipboard.  Once this happens this information is available to be sniffed by other applications running on your phone.

I wish that last part could be labeled a paranoid fantasy but is a weak point regardless of the platform (sorry IOS fans).  Yet the password manager is safe if you read and remember the password and manually type it into the application that needs it.

This entry was posted in Soapbox and tagged . Bookmark the permalink.