by Dr Matthew Candelaria, a professional technology writer who works with Webroot
It should go without saying that choosing a secure password is important to protecting personal and commercial data. Even mobile security software such as that offered by Webroot is worthless if a password is compromised. Unfortunately, most people don’t create secure passwords, and that can expose your organisation’s business’ network to attacks.The sad truth is that most people use weak and common passwords for most applications. The 2012 list of most common passwords people use is virtually unchanged from 2011, and includes ridiculous common words like “password,” “monkey,” “letmein,” and “dragon.”
It also includes obvious combinations like “12345678,” and “qwerty.”
“About 90-95 per cent of users into three categories:- family, fan, and fantasists”
When people aren’t using these kinds of common words and combinations, they are using one of three easily-hacked personally relevant categories for their passwords.
Studies place about 90-95 per cent of users into three categories:- family, fan, and fantasists.
- Family: who use names and numbers related to family members to create passwords
- Fan: who use sports teams, movie or rock stars, or fictional characters for their user names
- Fantasists: who use mostly sexualised words such as “stud,” “sexy,” or “goddess” for passwords
Only 5-10 per cent of users are ‘cryptics’, who create secure passwords based on hard-to-crack random sequences of letters and numbers.
Your current training likely isn’t working
A study of healthcare workers published in the International Journal of Advanced Computer Science and Applications (IJACSA) in 2011 showed that these workers fit into the same patterns identified in 2001 and listed above.
Worse still, about 73 per cent of these workers routinely shared information about how they created passwords that would allow friends and co-workers to crack their passwords.
They also rarely changed their passwords and used the same password on multiple sites and devices.
This is despite the fact that almost all employees noted that their employer provided security and password awareness training.
How to make security training effective
Q: The main problem with security training? A: It wasn’t repeated often enough.
People need to hear these lessons regularly to remember to create unique passwords, change them regularly, and not reuse them on multiple sites.
Security training also needs to be mandatory to be effective. Given the choice, employees will not attend security training.
After all, they feel they know the information already, even if they aren’t following it. It should include information about how to make secure passwords that are easy to remember (see below).
Secure and easy-to-remember passwords
The most common method for making and remembering secure passwords is to create a simple sentence they can easily remember and use the first letter of each word.
These mnemonics work great. I still remember the one I learned in the mid-1980s for the Mohs scale of mineral hardness: “Tall girls can float across oceans quickly to collect diamonds.”
A friend of mine recently spouted the mnemonic she learned in the 1950s for resistor colour coding: “Bad boys rape our young girls, but violet gives willingly.”
Employees can base their phrases on their preferred password patterns, such as “My son Quentin loves his new ninja castle,” or “Arsenal forward Podolski runs fast and shoots hard.”
They then take the first letter of each word, “MsQlhnnc,” or “AfPrfash,” respectively, and perform substitutions for letters with numbers or special characters.
For example, “new” can become “2″ and “ninja” becomes an asterisk because it looks like a throwing star.
You can create one base password and altering it for each site or service based on the name of the site.
Recommended rules for this modification include using only the vowels from the name or using first-last combinations, such as “MsQlh2*caoo” or “MsQlh2*cYoao” for Yahoo.
But you can make up your own rules. You can put the altered code anywhere in the password.
Regularly repeated security training can reduce the risk your employees will use weak passwords, but it’s still crucial to monitor activity regularly to make sure none of your employees’ mobile accounts have been hacked.
Dr Matthew Candelaria is a professional writer with more than five years’ experience writing copy in industries such as law, medicine, technology and computer security. For more information about him and his work, go to www.writermc.com.