I receive more than 10 calls (SOS) every month from my students, saying that someone has hacked their email password or some other password. It is a genuine problem. Before I start with the problem, I would like to ask you few questions (list is long, please take your time). My honest request to you all, please answer these questions seriously, don’t just think, don’t take more than a second, just answer – “yes” or “no” .
Let’s begin.
1.Your password is less than 6 characters.
2.Your password is nothing but a dictionary word. (A word which is listed in a dictionary)
3.Your password is your boy friend’s/ girl friend’s name.
4.Your password is your date of birth / date of the first DATE that you had / date of the first kiss (you know what I mean).
5.Your password is all small letters, you don’t use any capital letter or any numbers or any special characters in your password.
6.You haven’t changed your password in last one month.
7.You use the same password for more than one of your login id (for example your password is same for yahoo and gmail or orkut and facebook).
8.You have told your password to that special friend that you have.
9.You have kept a note of your password in your Cell phone, laptop. (you know, we are not the good in remembering things, so keep a note, anyway I don’t give my cell phone to anybody you know).
10.You were filling up a registration form for an event in your college fest, and the password you have given is the same of your gmail or yahoo account.
11.Your password is the phrase that you use very frequently, or its there everywhere, like your status message in Orkut, or your wall paper and so on.
Let us understand the serious implications of all these questions that I have posted.
1.Your password is less than 6 characters.
# If it is less than 6 characters, its vulnerable, its weak. It is all about permutation and combination. There are so many third party softwares available, which can keep on changing the permutation of the letters or the position of the letters and keep on trying till it gets it right. Now if you have a long password the probability of getting it right will be very low. (Please read Digital Fortress by Dan Brown)
Another case can be, you are not that good/fast at typing. There is always this friend of yours who is always standing on your head when you are typing the password. There is a chance that he/she can memories the keystroke. I am sure you would not want to take a risk like that.
Counter measures: Please use a long password. If the website asks you to have a password of 8 – 12 characters, try to go for the 12 instead of bare minimum 8. Practical example will be, if you want to buy a lock for your room/house you will buy a 4 lever or a 7 lever lock? I leave it to you to answer the same. If the hacker is a committed one and he will try, no matter what the password length is, he is going to try it anyway. Don’t make his life or work simple by keeping your password small. What is the password length I use, no I am not going to answer that. But I know a student of mine who has a password length of 32 characters. Hope you got the message.
There are lot many websites as well as OS which will not allow you to give password less than 8 Characters.
2.Your password is nothing but a dictionary word. (A word which is listed in a dictionary)
# This is more dangerous than having it small. There are thousand password cracking software available in Google search, which will be a dictionary based tool. How it works? Very simple, the program will take the first word from the dictionary and try if he is not lucky will get the second word from the dictionary and try. The program is nothing but an “IF & ELSE” loop, so he is going try all possible words available in a dictionary and will not stop until there is a positive match. Now a powerful computer dedicated only for this work can actually crack it in no time. As I said, a committed hacker has all time in is life to wait for that positive match. Please do some research for the term called “BRUTE-FORCE”.
Counter measures: Simple, don’t use a dictionary word as your password. If you are attached to that word emotionally, please use the same differently. For example you are looking for the word “EVERGREEN” as your password, please use “SADABAHAR”. Some one using an English dictionary will never get that word.
For your information there are many OS which will not accept password based on a dictionary word.
3.Your password is your boy friend’s/ girl friend’s name.
# This is a kind of an open secret. 50 % of the students I have spoken to fall in this category. They are so much in love with each other, that they use the password also on their name. Now when I know you, there will be a chance that I will know him/her also. You will say, “Swapan, you don’t know him/her how can you know the name” – very simple, I will try Orkut, Facebook – you know there is this friends list available. Worse, there are people who publicly acknowledge their relationship and keep the password on their name. Why only special friends name, there are people use their spouse’s name as the password, or some other name, father, mother, brother, child the list is long. Not to forget – Pet’s name.
Counter measures: Don’t get emotionally carried away, we understand that you love the person so much but don’t use the password based on his/her name.
4.Your password is your date of birth / date of the first date that you had / date of the first kiss (you know what I mean).
# This is also a very common way how one’s account is compromised (very very dangerous as a PIN for your ATM card). You mention your password to be your date of birth or any other significant event in your life, people close to you might know about it (the date or the event) and they can discuss with their other friends so they also come to know about it. Students love to dwell in telling these events and word gets around through the social networking sites too. So mentioning your password as these examples are not very secure as one hint is enough for anyone to guess and have access to an email and get an access to it. For example if my close friend’s date of birth is 28th Feb 1984 and the password can be 28021984 which is 8 character and lot many websites will accept it as a password (Please note al the major websites will not allow to have all numeric as a password). Moreover this numeric password is applicable to your ATM pin no. as 2802 or any other combination of the same numbers.
Counter Measures: So stop using dates and events for your passwords use other numeric which are random and try always combining it with alphabets and special characters. If you are anyways going to use the dates or events then do not divulge it to anyone. And keep it away from the social networking sites
5.Your password is all small letters, you don’t use any capital letter or any numbers or any special characters in your password.
# Using all small letters for your password is not a good option for securing it. It is easy for any person or any software like (password recovery toolkit) to guess it. People knowing about you will easily guess it as you have, apart from using dates or events, are using all small letters and no capital letter or special character for the password. For example using ‘sumitacharya’ as a password is totally wrong a. it has all small letters, b. it starts with the users’ name, c. it is not combined with nos. or special characters
Counter Measures: Always use special characters and combine your passwords with Capital Letters and numeric with more that 12 characters to make it a strong password
6.You haven’t changed your password in last one month.
# Keeping the same passwords for your account for a prolonged period of time makes it easier for anyone to crack it and gain access to your account. One should make it a practice to change password on a regular basis so that the account is not compromised. Ones email account is of immense importance as people usually get important details in them like job related information for working professionals, campus recruitment's for undergraduate students.
For your information its statutory to change your password for all online trading site within 14days. Lot many OS has this options to ask user to change their password periodically. We can make it much stronger by adding an additional option that you can’t change your password to the old password or atleast to the last 3 old passwords.
Counter Measures: Make it a habit to change your password every month. You can take help from the Password Manager software that apart from protecting, if set then will help you give reminder to change your password by giving you warning of expiry. This feature can be found in popular anti-virus softwares.
7. You use the same password for more than one of your login id (for example your password is same for yahoo and gmail or orkut and facebook).
# This is the most common and grave mistake that account holders make because for convenience sake when someone uses same passwords for more than one account it is definite that if someone gets hold of one password then it is easy cracking password for the other account if given same. Same goes for giving password for your banking accounts or ATM pin numbers. Someone who knows you will definitely make use of this opportunity and try to create problems with it.
Think about it, your house has four entry points, you have protected all of them with steel doors and a 7 lever lock, but what you have done is the key is same for all the four doors. I get hold of one – I get all. Its like “ek ke sath ek free”.
Counter Measures: DO NOT USE SAME PASSWORDS AT ALL! for your email, bank accounts. Even though you have more than two accounts do not give them same password, it is good to have great memory so always have different and unique passwords for all your email and online banking accounts. You will say I don’t have good memory, I will forget my password. Ok – then try something smart. Its easy to forget words but not any phrase – or an happy moment, make that a password. For example – you can make a password from a phrase like “I saw her first at the coffee shop” – this can be “ishfatcs” – now we can make that as “1shfatcS”. If you want more help, you have to pay me for the consultancy :).
8. You have told your password to that special friend that you have.
# Please! password is your very personal thing more than the special someone so letting them know your password is a very bad idea. That special friend can also become a not so special friend someday then your account will be definitely in jeopardy if the password has not been changed. Your information in the mailbox or your bank account details can be tampered by other if told to others, they might unknowingly make some changes without your knowledge which can/may cause trouble for you or your data may get deleted or even your account emptied of your money by just click of a button by that special someone.
Counter Measure: Its plain and simple just do not tell your special friend your password and try to keep to your self no matter how close that special friend is to you.
9. You have kept a note of your password in your Cell phone, laptop. (you know, we are not the good in remembering things, so keep a note, anyway I don’t give my cell phone to anybody you know).
# This is another serious mistake that people make after giving passwords to their account. You just can’t store your passwords in Cell phones or Laptops because if anyone gets an access to them, then your account is not safe. And you should always be careful while giving you laptops, external drives and cell phones to service centers because if your data still present in them and there is chance that data theft can occur and your account also might get hacked with the password info that they get from it. You might have heard the recent news of Famous Sitar player Anoushka Shanker’s account getting hacked where her pictures were stolen and for that the hacker was demanding for money. It is believed that she had given her Laptop to service center and someone had stolen info from there and hacked her account. There was another incidence where one of my acquaintances’ special friend had access to her cell phone where she had stored her ATM pin number, when she had gone out of sight the money was also gone from her account which was around Rs.40,000/-
Counter Measure: Do not save your passwords or pin nos. in your cell phone or PC’s and try remembering them. And while giving your PC’s, External Drives, Cell phones to service stations please do not have any data in them first back it up and remove [remove it – means complete erase – how to do that – ok some time next] it and then give it up for servicing.
10. You were filling up a registration form for an event in your college fest, and the password you have given is the same as your gmail or yahoo account.
# Doing this can again put you into problems. Most of the cases these sites are developed by the colleges students (don’t take is an offence – but these students are not that Professional – still on the learning stage). There are chances that the registration site will have lots pots of bugs and errors. Which some other (unholy) student will exploit and get access to your password. Now if your password are the same as you have given it to any of the other mail site – you are asking for trouble. No – names, I know a college where a student hacked into their fest registration site and showed us live in one of our workshop. Secondly, these site managers are your friends, and you know they would also like to know your password (may be only for fun). Small changes in the registration database and they can read your password as clear text – PROBLEM.
Counter Measures: Do not give the actual details while registering for some sites if it is absolutely not necessary. In case of Password always use something different and unique and definitely not your gmail or yahoo account password.
11.Your password is the phrase that you use very frequently, or its there everywhere, like your status message in Orkut, or your wall paper and so on.
# Nothing much to say on this, please watch the movie “AJNABI” where Mr. Boby Deol (our hero) tries to access the Mr. Akshay Kumar’s (the con guy) online bank account. Oh oh – the password “ every thing is planned”. – enjoy the movie.
Subscribe to:
Post Comments (Atom)
1 comments: