Thursday 29 January 2015

The Problem With Passwords

Selecting a password is an art; hackers attempting brute force attacks will use dictionaries containing millions of known words and common password combinations, so if your password is ‘123456’ or ‘password12’ you will lose control of your account in a few seconds if attacked. Also beware of using the same password in more than one place, as if any single password file is cracked hackers wille routinely try the same username and password combinations on other common sites. If you follow these rules you will, like me, end up with a long list (for me it's hundreds) of different passwords, hopefully containing capitals, numbers and punctuation marks, all of which you need to be able to retrieve at any time. And of course you won’t be storing them as remembered passwords in your web browser as these are generally very easy to access.

This is one of the great problems of the Internet age. How do we manage our passwords? As somebody who has more than a passing interest in hacking, and understands many of the ways in which passwords are cracked, I probably have a bit of a head start. I've also been interested in cryptography for many years, and I've managed to develop a simple and ingenious method for generating passwords that I can then reverse engineer on-the-fly when I need to use them. And if you think I'm telling you what this is then I'm afraid you're going to be disappointed.

This may sound a little smug, but I assure you it's not; I may have been careful in crafting my keys, but as I have little control over the locks they are used in I don't have any illusions about the security my precautions give me. Instead I rely on simple maxim that if I absolutely don't want to share something, then it probably shouldn't be anywhere on-line anyway. That and two step authentication. Always. Let me give you an example of how my thinking has been shaped.

Fully ten years ago my home broadband was provided by Tiscali, who have long since been absorbed by TalkTalk. When I came to cancel my contract with them I was told that I would have to do this by logging in to their portal, using the username consisting of my Tiscali e-mail address which I had never used and a password that I had noted down when I first opened the account one year previously.

You would be right in thinking that this was unnecessarily complicated, as I was already speaking to an agent who had authenticated me. Most people ten years ago wouldn't have known their username or password anyway, unless they were actually using the e-mail address. All in all the cancellation process seemed designed to be as difficult as possible, no doubt in a sad attempt at “customer retention”. Things were easier for me because I had noted down my username, and obfuscated password.

So I logged in to my portal where I was presented with thousands of unread e-mails every single one of which was spam. After cancelling, I contacted Tiscali to ask them how an e-mail address that I had never used had ended up in the hands of every spammer under the sun. They declined to reply.

I'm not in the least bit surprised to read in the Guardian that TalkTalk customers are suffering from the same problem. TalkTalk are being particularly coy about the issue which seems to be resulting in fake service calls on a large scale

These leaks are of course entirely predictable; if you're going to pay call centre staff in India a pittance then don't be surprised if they look at other ways of supplementing their income. It's not as if they are being set a shining example by our own governments, who seemed quite happy with the idea of collecting all our data, much of which I am sure will one day be left on the back seat of a taxi.

So there are two things to remember here - firstly beware of callers offering to clean up your PC (Unless it's one of us, of course), and secondly, like I said, it doesn't matter how clever your key is if the lock you are putting it in is made of tissue paper.