Many of us stick to predictable passwords and PINs, and so fail to adequately protect our cash!
As a code-breaking buff, I have shelves of books on cryptography. If these works have taught me anything, it is that humans are the weakest links in any code system.
Hang on to your cash. Protect your passwords and PINs.
Many of us stick to predictable passwords and PINs, and so fail to adequately protect our cash!
As a code-breaking buff, I have shelves of books on cryptography. If these works have taught me anything, it is that humans are the weakest links in any code system.
For example, during World War Two, my grandfather and his colleagues would learn to recognise the key-tapping style of certain German radio operators who failed to use their Enigma encryption machines property. These snatches of information, known as ‘cribs’, became a crucial part of Britain’s wartime intelligence.
Similarly, when it comes to protecting your information online, you are the weakest link. This is because of two key weaknesses:
- The ‘group mind’. Despite being unique individuals, people often behave in herd-like fashion. For example, when asked to name an integer between one and 50, many of us automatically choose the number 37.
- ‘Personal anchoring’. In order to make passwords easy to remember, we latch onto something prominent in our personal lives.
Now I’ll show you how these two faults can put your money at risk in both the real and virtual worlds.
Protect your PIN
To use a credit, debit or store card, you’ll need the four-digit PIN (Personal Identification Number) linked to that plastic card. There are 10,000 combinations of PINs, from 0000 to 9999.
Of course, if you enter the wrong PIN three times, then your card will be locked. This prevents a ‘brute force’ attack to find PINs, which involves checking all possible combinations.
Even so, PINs aren’t as secure as you’d imagine. This is because millions of cardholders change their default PINs to numbers which they find easier to remember. Often, this weakens the security of their cards.
Let me give three examples of weak PINs:
- In the late Nineties, my boss challenged me to guess his PIN. Knowing him to be a proud Scot, I suggested 1314 — the year of the Battle of Bannockburn. Right, first time.
- In one of his books, controversial Scottish author Irvine Welsh describes a banking scam to rip off supporters of Glasgow Rangers FC. His crooks steal lots of credit cards and try 1690 as the PIN — the year of the Battle of the Boyne. They successfully steal a fortune.
- Your year of birth. Possibly the worst PIN to choose, full stop. When up at University, I found scores of students naively using their year of birth (or birthday as Day-Day-Month-Month) as PINs. If you do this, change your PINs today.
To create a safer PIN, choose a random four-digit number, or simply stick with the default PIN given to you by your bank. Otherwise, you may inadvertently be putting your credit card and current account at risk of fraud.
Loose lips lose money
About five years ago, my father gave me an old laptop. When I went to use it, I found it to be password-protected. Thinking hard about my dad’s life, I tried two passwords before getting it right third time. It was the name of the British Army cavalry regiment he joined way back in the late Sixties.
In short, the more you know about someone, the easier it is to guess their passwords.
That’s one of many reasons why I don’t belong to social-networking sites such as Facebook, and why my Twitter posts link only to my articles. The more information you post on Facebook, Twitter and the like, the more personal data you give to crooks, criminals and fraudsters.
(Modern-day ‘digital villains’ also use Facebook and Google Street View to find out when people are on holiday, before burgling their empty homes.)
Pathetic passwords
The worst of all passwords — and one of the most common — is ‘password’. This is as bad as no password at all. Don’t use it, ever.
Other poor passwords include ‘123456’, ‘abc123’ and ‘qwerty’ (the first six letters from the top left of the letter keyboard). Using your first and last names (such as ‘cliffdarcy’) is weak, too. Also, ‘computer’ is a pretty silly password.
‘Monday’ is another bad password — when we discovered our IT master was using it at school, we promptly changed it to ‘Tuesday’. ‘Letmein’ (let me in) and ‘iloveyou’ (I love you) are also pretty feeble. Many passwords require a minimum of six letters and, for some reason, ‘monkey’ is a popular choice.
Other easily found passwords may be your favourite football team or a family member’s name. Thanks to public databases and social networking, your supposedly private life may be laid bare for cyber-crooks to sift through.
Another terrible password is the name of the website you’re visiting. For example, Barclays customers using ‘Barclays’ as a password are frankly asking for trouble.
One key opens many locks
Another problem arises if you use a single password to access many different websites. In this scenario, once I have one password, I have access to all your accounts. In effect, you’re giving me a master key to open all your locks and make a ‘clean sweep’.
Nevertheless, almost half of us use the same or similar passwords to access multiple sites. Naughty, naughty!
Passwords should be unique to each website you visit and every account you use. If you can’t remember them, then write them down in a coded message and securely hide this piece of paper. Alternatively, use a password safe such as that developed by American cryptography expert Bruce Schneier.
How to create stronger passwords
Of course, strong passwords are more complicated than weak ones, but that’s the whole point. They are harder to guess or find with a ‘dictionary attack’ (searching around 200,000 commonly used words in English).
To create strong passwords, you should:
- Use at least eight characters and, ideally, more.
- Use a mix of upper-case and lower-case letters, numbers and keyboard characters accessed via the shift key and non-letter keys.
- Don’t use your name, family names, slang words, swear words, words found in dictionaries and first names.
These are easy meat for the professional cracker.
For more advice, read this report from online-security firm Imperva (PDF document) on the infamous hack of 32 million passwords from the RockYou.com website in December 2009.
Lastly, for more help with beefing up our computer and Internet security, visit government website Get Safe Online.
Source: lovemoney.com