SUNDAY TIMES - Spit & Polish : 08 April 2012
Sunday Times STLive By Barry Ronge, 2012-04-08 00:16:07.0

Spit & Polish : 08 April 2012

Is there any password safe enough to guard your private stuff?

How many passwords do you have pinging away in your head? You obviously need your internet banking password and the codes that allow you to gaze, disconsolately, at the vagaries of your financial resources.

Perhaps you can only gain access to your place of work with a password? In fact, in one of the buildings I visit often, each of its floors has a different entry code and every time I go there, I find several people, like me, waiting in the foyer for someone to arrive and let us in.

It's a fair bet that most of us take the line of least resistance when we create a pin-number. We tend to base it on something that we could virtually recite in our sleep. According to a survey by Verizon, a US telecoms company, many security breaches are caused by people who don't even bother to create a password.

The two most frequently-used passwords in America are "123456" and "abc123".

It seems so sensible and practical because the alphabet and counting to 10 are absolutely embedded in our brains - but that is also a risk.

In fact, there is a thing called "a dictionary attack" that sets out to search for the most ordinary, everyday things that people like to use as passwords. They look for familiar passwords such as "mydog" or "newidea", which lets them into your whole system. That so many people are using the same wordshelps the "dictionary attackers" to spot them and invade.

You may think that you can protect yourself by using favourite titles of books and films, or favourite songs, but they also prove to be vulnerable. Many of the larger domestic computer systems limit the length of passwords, usually to six digits, and with that comes the inclination to make it simpler and easier.

If, however, you are able to create bigger phrases such as "Blue Suede Shoes" or "The Apprentice", people will still give too much information away. The smart idea is to keep it short and enigmatic, if not downright mysterious. Anyone who uses passwords such as "soapie" "series" and "healthy" is opening the gate to invasion from around the world.

The names of kids, spouses and pets are also ludicrously easy to steal. We all know what it is like in an office: everyone knows everyone's business, and some people put photos of spouses, kids and pets on the wall.

Someone says, conversationally, "Aren't they sweet? What are their names?" and the next thing you know, it's an "Open Sesame!" to all your private stuff.

I got that message six years ago, when, naively, I bought goods on the internet and was slammed by a tidal wave of crap that included Polish women looking for South African husbands, more plastic goods than you could carry and "special offers" by the hundreds. So I locked my computer down.

The Verizon research also suggested that if you are both paranoid and affluent, there are security devices such as fingerprint scanners that prevent anyone from getting into your computer - but it comes at a price and is also an encumbrance.

The trick, as some experts have suggested, is to pick words not frequently used and not connected to your job, such as "pollen", hooves" or "earwax". If you can drop a random numeral into one such word, such "hoo3es" and "ear7wax", you may be safer.

In an article in The Economist, a security guru, Bruce Schneier, suggested the best and most complicated ploy was to create a sentence and to substitute first letters of every word, using the numerals and punctuation.

The sentence he created was "Too much food and wine will make you sick". He condensed it down to "2mf&wwmUs" and that gave him a double protection. He created the sentence, and he also substituted the characters and, according to the magazine, that password has never been cracked. Obviously, now that it has been published, its usefulness has been lost, but I feel sure he will create another one pretty easily.