Power of the Password
The recent News of the World phone hacking scandal illustrated how easy it can be to access poorly protected information. The investigators who hacked into the phones were not IT geniuses; they just exploited basic flaws in the caller ID and PIN systems.
A few years back, a default PIN was provided for access to mobile messages – with the onus on the user to change it if they wanted to. Needless to say, many people never bothered to change this default PIN. Even when they did, it was often to an easy to guess number, like 1234 or 3333.
While things have improved with mobile message security, people still often pick easy to guess PIN numbers, and this problem applies to other technologies as well. Ideally, passwords should have a mix of letters and numbers, upper and lower case and even symbols. The same password should not be used again on any other website or email account either.
The problem is; so many passwords can be required now that it can be a nightmare to try and adopt this best practice. As the likelihood of being hacked can seem quite low, many people ignore all the advice and still use passwords made up of favourite football teams or children’s names that can easily be guessed. I’ve advised on a number of cases where Union members have either been accused or been the victims of a hacked email account, with either poor or shared passwords critical factors.
One case involved a former employee who hacked into their old bosses email account and found a message that insulted a key client’s physical appearance. This message was then forwarded to the client, causing uproar. There are services that can manage all your passwords, but these usually come at a cost. Banks – out of necessity – have been at the forefront of improving protection, with card readers and security procedures that have improved protection.
A lot of systems now only allow passwords with a minimum length or mix of characters to be used or require passwords to be changed at regular intervals. However, many services still don’t have these checks, or haven’t implemented them in workplaces due to their unpopularity amongst some users.
We rely more and more on access to information instantly, but if we want the extra convenience, then we need to take the security seriously. It’s easier to spend a bit of extra time now changing and setting up better passwords than dealing with the potentially disastrous consequences.