Get Tough With Computer Passwords and Secret Questions

The three things you must do to stay computer password safe – and how to foil secret question hackers: Internet ScamBusters #323

Your computer passwords and secret question answers are at greater risk than ever as computers get more powerful and hackers more persistent.

Most of us are vulnerable unless we:

  • Use passwords with many random characters and symbols.
  • Change passwords frequently.
  • Use a different password for each key account.
  • Toughen up the answers to our secret questions.

In this issue, we ask: are you doing enough to protect yourself or is the challenge perhaps deeper and more complex than you realize?

On to today’s main topic…


Get Tough With Computer Passwords and Secret Questions


Changed your computer passwords recently? No? Strike one!

Still using words found in a dictionary as passwords? Yes? Strike two!

Using the same computer password for more than one key account? Aargh! Strike three — You’re out!

Despite all the warnings and advice, it seems that at least 20% of computer users still use easy-to-crack single word passwords. And it’s not just novices who do this.

Indeed, at the beginning of this year, the social networking site Twitter was seriously compromised after an 18-year-old hacker using “brute force” software — that’s a program that tries all combinations or all the words in a dictionary — managed to log on as “Crystal”, one of the organization’s administrators, using the word “happiness.”

And, let’s be honest, most of us use the same password on more than one account. And very few of us bother to change our computer passwords often enough, if at all.

In addition, those so-called security “secret questions” we answer and use as back-up for when we forget our passwords turn out to be even easier to crack.

Why? Because they often use single, easy to guess or discover, words. Which makes them no better than the worst kind of passwords!

In the past, we have featured ideas about how to generate hard-to-crack passwords. Read more on computer passwords in the article Creating Computer Passwords — and the second item, How to Create Good Passwords, of another Scambusters Snippets issue.

This time, we’re going to delve a little deeper to show just how random and complex those strings of letters and characters have to be. And how to toughen your answers to those secret questions.

First, a few alarming facts to make you sit up and pay attention!

  1. If you use a word in the English language (there are 200,000 of which 40,000 are commonly used) as a password, even if you double it (such as “friendfriend”) spell it backwards (“dneirf”) or add some numbers at the end (“friend123”), a powerful computer using brute force can discover it in a few hours.
  2. If you use a non-word password with only five jumbled characters, all lower case, it takes a mere 11.9 seconds to crack it. Even if you use a mixture of all characters, upper and lower case, numbers, punctuation etc, it takes only 2.15 hours — still easily achievable for a hacker to run overnight.
  3. Hacking programs, in the guise of genuine password recovery software, are freely available on the Internet. Installed on someone’s PC, either directly or over the Internet through malware, they can unscramble pretty much all passwords used in email and instant messaging programs, those stored in Internet browsers or otherwise disguised by asterisks.

What these things tell us is, first, that our passwords should not only be made up of random characters but should also be lengthy — 16 characters is recommended, and 14 characters is important.

Second, not only should we protect our PCs against malware attacks but that also we should change our passwords frequently, in case anyone has managed to grab them.

As we suggested at the beginning, it’s also good practice to use a different password for each important account.

Why? Because certain websites and online forums are easy to hack. If you’re registered there and you’re using the same username and password as you do for your online banking — which, believe us, isn’t unusual — bingo! Someone’s got their hands on your money.

The bottom line is that no password is 100% safe and uncrackable, even if it is encrypted (translated into another set of characters using a randomly generated code), but tough strings of characters and encryption (provided by some software) will usually be enough to defeat and deter the hackers.

In a nutshell, a good password consists of 14 or more random characters, upper and lower case and including numbers and symbols.

Of course, having such random strings and a different set for every account, which you also change frequently, will make it difficult (or impossible!) to remember.

Two things you can do are:

  1. Use a strong password storage program that uses encryption to protect its data. Some Internet security programs now do this. The most commonly used program is Roboform. For the Mac as well as the PC, you can also check out PasswordVault by Lava Software. Some programs (including PasswordVault) can also generate passwords.The more important your password, the more often you should change it.
  2. For low-security sites, either have a simple username and password that you use ONLY on all of these sites (i.e., it doesn’t matter if it’s discovered); or use a site like BugMeNot.com which offers shared passwords for sites that force you to register but where you can remain anonymous.

What you do NOT want to do is write the passwords down on paper. 😉

Secret Questions

Now for a word about those secret questions.

Time was when you had to give your mother’s maiden name. Later, new questions were added, like naming the city where you were born, the name of your pet or the last four digits of your Social Security number. Wow!

It doesn’t take much thought to realize how weak a level of security this is. For a start, it’s probably quite easy to track down your mother’s maiden name. And Social Security numbers, especially the last four digits, are cheaply traded among criminals on the Internet.

As for pet names and most other personal questions, consider this:

  • Your favorite color is likely to be one of about only eight different choices.
  • Most people were born in one of about 20 big cities. One in three of all Americans live in the top 250 cities.
  • Street names? Choose anything between 1st and 8th or the name of a tree (e.g., “Oak”) and you’ve covered the 15 most common street names in the US.
  • The name of your pet? There are published lists of the most popular names. Max, Buddy, Molly, Ginger, etc.
  • Your school? Let’s see if you’re on classmates.com.
  • The make or model of your first car? Again, just a few choices. Out of 40 or so brands, Ford, Chevrolet, Dodge, Toyota or Honda would be a good bet.
  • Your favorite film? See IMDB for the top 250 movies of all time. It’ll probably be in there.

Given what we’ve said about how little time it takes for a brute force attack, how secure do these questions now sound to you? Your only hope is that the site where your account is held only permits a limited number of attempts to answer the question.

But even that won’t protect you if someone has picked up information you’ve inadvertently given away, like naming your pet on your FaceBook page, and so on. It happens.

There are two potential solutions to this problem.

  1. Invent and use obscure answers. These sites don’t check if you were really born in “Mbowku#” or your mother’s maiden name was “cZakindA.” Some may not allow symbols or spaces but some do. Of course, you’ll need to store these but they would nearly always be meaningless dropped into the middle of a text document.
  2. Invent your own question. Sites increasingly allow you to do this but it only makes sense if you choose a question that no one else is likely to be able to answer — like the full name of your first date, the name and location of your favorite vacation hotel, or the last word and page number in a book you own.

It’s true that even these solutions are still susceptible to a hack but we’re sure you’ll agree it will be tougher and take a whole lot longer than answering those in the earlier list.

As we said, it’s virtually impossible to eliminate all risk of having your password or secret question and answer stolen, especially as computers become more powerful and hackers more devious and persistent.

However, with a few simple measures you can reduce that risk a great deal. After all, why would a hacker target you when alternatively they can log on as “Betty123”, password “Max,” mother’s maiden name “Smith” in a snap? So stay safe!

Time to close — we’re off to take a walk. See you next week.