Mark Harris's technology writing for the Metro

WINNING A WAR OF WORDS, 28 June 2006

Choose a better password than Open Sesame!

With code crackers on the prowl, the end of the password could be near, says Mark Harris

I don’t need to be Derren Brown to guess your computer password. If you’re a man, the chances are it’s England skipper David Beckham, your nickname, a Star Wars or Lord of the Rings character, or your car. If you’re a woman, it’s probably a family or pet’s name, a birthday - or England skipper David Beckham. And if you’re a smart alec (around 5% of you are), you’re using the word ‘password’ itself.

But if that hasn’t got you rushing to your keyboard to change your settings, don’t imagine your personal and online banking details are secure. Raimund Genes, Chief Technical Officer for security company Trend Micro, says, “It’s all about your password strength. For instance, if your Windows password is any word with less than 14 characters, it can be cracked by software in less than five minutes.”

All English words or names, however unusual, make terrible passwords, as they can be matched against dozens of huge ‘password dictionaries’ found on the internet. It’s pretty easy to toughen up your security, according to Raimund Genes: “Longer, randomised passwords with special characters like ? or £ (rarely found in American password dictionaries) are almost unbreakable.”

Unfortunately, such complicated passwords can also be difficult to memorize. Research firm Gartner found that up to a third of all helpdesk requests are to ask for lost passwords, prompting around two thirds of us to write down our passwords – a security risk in itself.

The easiest solution, suggest Trend’s Genes, is to use a long ‘pass phrase’ instead of a simple password: “A whole sentence, such as ‘Ilovesushifordinner’ might sound stupid but it’s very long, easy to remember and almost impossible to break – unless you go around telling everyone your favourite restaurant.”

Of course, it doesn’t matter how strong your password is, if criminals can persuade you to hand over your security details willingly. You’ve probably already received spam emails that pretend to be from your online bank, redirecting you to a fake website where they can capture your user name and password.

In a test this April, Infosecurity Europe got over 80% of commuters at Victoria station to reveal key personal details, from their date of birth to mother’s maiden name, just for the chance to win an Easter egg. “The problem is less do with modern technology,” says Raimund Genes, “And more to do with careless users.”

Online ‘phishing’ scams cost UK banks around £30 million last year and, as Genes points out, “When the banks feel the pain, they’ll introduce new measures”. Some are already in place in Germany, where banks now hand out single-use numerical codes for use alongside traditional passwords. These five-digit numbers can be sent to customers on their mobiles and are only good for one transaction. Even more secure are smart tokens; key-ring devices that generate random, rolling codes.

With biometric ID cards on the horizon, fingerprint, iris and face scanning technology is beginning to find its way into the home. Despite questionable accuracy (even Home Office fingerprint systems make mistakes 20% of the time), such devices can be useful, says Raimund Genes: “Biometric readers are basically password management systems. Because you don’t have to type so often, they’re an incentive for having long, complex passwords.”

Biometric technology can’t come too soon for some. Office workers now have an average of seven passwords to remember – and some as many as 25. This has lead to an explosion in popularity of software such as Norton’s Password Manager, which can store passwords and personal information for everyone in a family. But Raimund Genes has one final word of warning, “Remember that you’ll need a strong password for your password manager software!”

Biometric gadgets
SanDisk Cruzer Profile £20 www.sandisk.co.uk – This neat little USB drive has a built-in fingerprint reader so you can securely carry 512Mb of data and passwords wherever you go.

Nimzy Face Snapper Recogniser £50 www.widget.co.uk – Do identical twins have any secrets from each other? Find out by testing this smart webcam, which lock outs users with the wrong mugshot.

Microsoft Wireless Mouse with Fingerprint Reader £80 www.microsoft.com/uk - Now you can get to work seconds earlier, by logging on with a simple swipe of your finger on this wireless optical mouse.

Passwords of warning
• Long, complex passwords are better than short, easy to guess words. Get a random one from www.winguides.com/security/password.php
• Don’t use the same password for lots of websites. Most online banks only guarantee your money if you use a password unique to them.
• Test the strength of your current password at www.securitystats.com/tools/password.php
• Password management programs can be handy but make sure your bank allows you to use them – some don’t.
• Don’t let your web browser automatically remember passwords unless you’re certain that no one else can access your computer.
• Always use reliable firewall and anti-virus software, such as ZoneAlarm Security Suite (www.zonelabs.com), and keep it up to date.

Return to Metro journalism page