bit-tech.net

Should you change your password?

Published on 5th December 2006 by Ryan Garside

Security on the internet is a key issue for many. But most of us fail to protect ourselves adequately.

Are you one of those people who use the same username/password combination for practically every log in on the web? Now the International Telecommunications Union (ITU) is warning users that this practice will lead to an increased chance of identity theft.

Don't feel too bad if you, like us, are using similar username and password combinations. A quick poll round the office suggests that everyone is doing it. That, warns the ITU, is something thieves and fraudsters will soon cotton on to. The report, as published on the BBC, said:

"This may cause security breaches, and leave them vulnerable to the machinations of identity thieves ever increasing in number and inventiveness. The lack of coordination in identification systems is a source of growing inconvenience to users and needs to be addressed rapidly."

One thing that you must remember (thanks for reminding us bit-tech forums) is that most companies will not ask for your confidential information. There is a rather amusing forum post, where a youngster got counter-hacked for his Steam account. It's definitely worth a read in full but here's an extract:

br0kenrabbit says:
Try to log in now.

Greg_ValveOLS says:
k

Greg_ValveOLS says:
It says login failed wtf wtf!!@?

br0kenrabbit says:
Greg

Greg_ValveOLS says:
did u ban me???????????>WHY

br0kenrabbit says:
Greg

Greg_ValveOLS says:
what

br0kenrabbit says:
Valve will never ask for your username and password.

Greg_ValveOLS says:
what????

br0kenrabbit says:
I don't work for Valve dude, but you just got pwnt.

So there you go, you've been warned. Doubtless nobody will go and change all their username and password combos. I know I certainly won't, I'll just wait till the fraud apocalypse hits and we all become victims of cyber-crime.

If, however, you're looking to up your security, uber-geek Steve Gibon has an awesome ultra high security password generator you might want to check out.

Let us know your thoughts in the forums.

18 Comments

Discuss in the forums Reply

Blademrk 5th December 2006, 10:40

The trouble is most people use quite a few different forums/online-shops, and without actually writing all the passwords down (and to which site) it's fairly easy to forget which password goes with which site (I know I've forgotten a few).

My password in work asks me to change it every month and it won't let me use the same password twice, which can get tricky coming up with something memorable by the 100th time.

DougEdey 5th December 2006, 10:51

Our work is a lot more secure now, passwords are remembered for 8 iterations. You have to have one upper case letter, one lower case letter and at least two numbers with a minimum length of 8.

DeX 5th December 2006, 11:14

Since this a technology site, I think you should inform your readers about this:

http://www.angel.net/~nic/passwd.html

It's something the ITU would never suggest but it's quite a clever system for generating a different password for each site that requires one. If you link to the password generator on your bookmark toolbar you have it automatically fill in the password field of any web form based on a hash of your master password and the domain name of the site.

There are other password generators around that work similarly. Its security rides on the fact that a hacker doesn't know your master password or the fact that you use a password generator. But its a much better system than using the same password on every site you use or trying to juggle your own selection of various passwords.

I really don't see the point in these reports and studys highlighting certain problems that organisations make if they don't come up with a solution to those problems. :|

riggs 5th December 2006, 12:12

Yup, I pretty much use the same password for every site...apart from ones that require a mix of numbers and letters - but even then, it's the same password with a couple of digits on the end!

DXR_13KE 5th December 2006, 12:34

that guy got pwnd!!! LOL
as for passwords.... i usually use passwords containing $ and & and other symbols, i even use some that are Portuguese keyboard specific :D, a small story like "MIKEDRINKSBEERLIKEHELL" and then a long number.... normaly a random mix between my phone numbers, my ID number, my school number and some random medicine barcode number, i use these on important sites..... but in other less important sites i use more simple ones.....

i really must get a password generator for my pen drive.... i think i am gonna make one.... :D

Almightyrastus 5th December 2006, 12:54

the vast majority of the sites that i have passworded access for only have a password because that site demanded i had one, hence i use the same (relatively low security) one for most things. There are a select few things that i use a much more secure one for such as private email, router password, banking , that sort of thing but most things are just not important enough to have a decent secure password on.

mikeuk2004 5th December 2006, 13:00

Im not commenting about my password combinations etc as you dont know whos reading this and knows where your computer is :) You guys should stop saying you use the same password for everything or you use $ and & in etc as your making it easier for them.

DXR_13KE 5th December 2006, 13:25

mikeuk2004 what if i am lying?..... :p

antiHero 5th December 2006, 13:47

I have actually only 2 places where i us the same name and password. It used to be everywhere, but after one game account of mine got hacked i changed it. Now my brain is cluttered with logins and passwords :(
But if you find a system to link the login&password in your head its kinda easy.

tuteja1986 5th December 2006, 14:41

My steam account has been hijacked twice ;( ... i reclaimed it twice but both time i log with new password , i always see some tards on the friends list. People i never added or don't who they are.

Dr. Strangelove 5th December 2006, 14:43

Quote:

Originally Posted by riggs
Yup, I pretty much use the same password for every site...apart from ones that require a mix of numbers and letters - but even then, it's the same password with a couple of digits on the end!

you are not alone

MrWillyWonka 5th December 2006, 14:50

I do use the same password for sites I trust, however my email passwords are different. I also use a different password for sites that aren't important or that I don't trust.

Antihero, what sort of system? I'm not good at remembering passwords so try to avoid having too many!

Aankhen 5th December 2006, 22:14

That link was hilarious. :)

As for passwords... I use AI RoboForm. It manages all my passwords and also has a built-in, customizable password generator.

lepre 5th December 2006, 22:26

if you want to generate some random pwd check here:
http://www.safepasswd.com/
maybe not perfectly secure but you get a chance to remember it too..

Jodiuh 5th December 2006, 22:56

http://www.winguides.com/security/password.php

http://img.photobucket.com/albums/v212/jodiuh/pass.jpg

customh 6th December 2006, 23:02

Quote:

Originally Posted by Aankhen
That link was hilarious. :)

As for passwords... I use AI RoboForm. It manages all my passwords and also has a built-in, customizable password generator.

What's everyone think of this roboform?

Aankhen 7th December 2006, 00:36

Quote:

Originally Posted by customh
What's everyone think of this roboform?

Before anything else, let me point out that it's not free: it's $29.95. That said, a bit more information about it...

Your passcards (i.e. username/password combinations) are encrypted using DES, 3DES, AES, Blowfish or RC6 encryption, depending on what you choose.
It has the concept of "Identities", so you can save multiple profiles with real or bogus addresses, etc. and then fill them in automatically as you need.
It has "Safenotes", which are basically encrypted snippets of text.
You can choose to password protect passcards, identities and Safenotes idependent of each other.
You can have a dual-password (Employee/Supervisor) setup. I'm not sure how that works, though, only that it exists.
It works with HTTP Basic Authentication, so that's a big relief to me; I hadn't found any other program that does.

I think that's the laundry list of features. You can download it and use it without paying, but there's a limit on the number of passcards (10, I think) and identities (one, if I recall correctly).

I've been using RoboForm for a few years now, and I would certainly recommend it to anyone who asked. Then again, I'm not a security expert. I dunno how much of it is just marketing.

They also have something called RoboForm2Go, which is basically RoboForm on a USB disk; you don't save your passwords on the PC but on the disk, and RoboForm is automatically installed on the disk, and password-protected. I haven't used it personally, yet, although I've been thinking about it for a while.

Pegasus 8th December 2006, 06:38

This whole issue makes me think of the wisest security advice I have ever had: "just because you are paranoid - does not necessarily mean that you are wrong"!

I find that there are levels of how serious it is for me to have my identity stolen, so many sites I just use the "remeber me" option.

Where as with my eBay, PayPal accounts etc. it would hurt much more if they were broken into.

Either way, I NEVER use the same password on more than one site, and have used an encrypted and tree structured program for years to store my vital information about everything. Something like the roboform, only there is NO automatic filling in of usernames and passwords! It will be copy and paste EVERY time.

The tree structure of the program has also been good to sort the levels of seriousness of identity theft. And it can also be used to store all matters of other good information, like info about you car, computer, dog, bike, credit cards, key health info and much, much more.

Just google for password programs if you need something to help you store your username/password combinations.