Selecting a password is an art; hackers attempting brute
force attacks will use dictionaries containing millions of known words
and common password combinations, so if your password is ‘123456’ or ‘password12’
you will lose control of your account in a few seconds if attacked. Also beware
of using the same password in more than one place, as if any single password file is
cracked hackers wille routinely try the same username and password combinations
on other common sites. If you follow these rules you will, like me, end up with a long list (for me it's hundreds) of different passwords, hopefully
containing capitals, numbers and punctuation marks, all of which you need to be
able to retrieve at any time. And of course you won’t be storing them as remembered
passwords in your web browser as these are generally very easy to access.
This is one of the great problems of the Internet age. How
do we manage our passwords? As somebody who has more than a passing interest in
hacking, and understands many of the ways in which passwords are cracked, I probably
have a bit of a head start. I've also been interested in cryptography for many
years, and I've managed to develop a simple and ingenious method for generating
passwords that I can then reverse engineer on-the-fly when I need to use them. And if
you think I'm telling you what this is then I'm afraid you're going to be
disappointed.
This may sound a little smug, but I assure you it's not; I
may have been careful in crafting my keys, but as I have little control over
the locks they are used in I don't have any illusions about the security my
precautions give me. Instead I rely on simple maxim that if I absolutely don't
want to share something, then it probably shouldn't be anywhere on-line anyway. That and two step authentication. Always. Let
me give you an example of how my thinking has been shaped.
Fully ten years ago my home broadband was provided by Tiscali,
who have long since been absorbed by TalkTalk. When I came to cancel my contract with
them I was told that I would have to do this by logging in to their portal, using
the username consisting of my Tiscali e-mail address which I had never used and
a password that I had noted down when I first opened the account one year previously.
You would be right in thinking that this was unnecessarily
complicated, as I was already speaking to an agent who had authenticated me. Most
people ten years ago wouldn't have known their username or password anyway, unless
they were actually using the e-mail address. All in all the cancellation process
seemed designed to be as difficult as possible, no doubt in a sad attempt at “customer
retention”. Things were easier for me because I had noted down my username, and
obfuscated password.
So I logged in to my
portal where I was presented with thousands of unread e-mails every single one
of which was spam. After cancelling, I contacted Tiscali to ask them how an
e-mail address that I had never used had ended up in the hands of every spammer under
the sun. They declined to reply.
I'm not in the least bit surprised to read in the Guardian that TalkTalk customers are suffering from the same problem. TalkTalk are being particularly coy about the issue which seems to be resulting in fake service calls on a large scale.
These leaks are of course entirely predictable; if you're
going to pay call centre staff in India a pittance then don't be surprised if
they look at other ways of supplementing their income. It's not as if they are
being set a shining example by our own governments, who seemed quite happy with
the idea of collecting all our data, much of which I am sure will one day be
left on the back seat of a taxi.
So there are two things to remember here - firstly beware of callers offering to clean up your PC (Unless it's one of us, of course), and secondly, like I said, it doesn't matter how clever your key is if the
lock you are putting it in is made of tissue paper.
