By Andy McCue, 11 August 2004 12:00
NEWS Despite increased awareness about the need for secure passwords, internet users are still leaving themselves vulnerable to hackers by choosing easy to guess subjects such as their cat or partner's name.
Over three-quarters choose passwords relating to friends, family and memorable dates, according to research into 1,000 internet users by Visa Europe.
The favourites are nicknames (21 per cent), birthdays and anniversaries (15 per cent), pet names (15 per cent), family members' names (14 per cent) and memorable dates such as the Battle of Hastings and England's World Cup victory (seven per cent). Thankfully very few people (two per cent) use 'password' as their password
All of those are details that basic social engineering techniques would uncover relatively quickly. To make matters worse a third of respondents said they use the same password for all their log-ins, while a quarter using it nearly all or most of the time.
But the message about choosing hard to guess passwords does seem to be getting through to some people with 22 per cent opting for random letters. And it's the silver surfers who are leading the way with almost a third of over-60s using random letters and numbers, compared to the under-30s who prefer nicknames.
Hugo Bottelier, VP at Visa Europe, said in a statement: "It is not surprising that loved ones and pet names top the most popular list as often people struggle to remember random characters or designated log-in codes and opt to choose their own. Of course, it is important that our passwords are personal and meaningful to us, but also that they are difficult to decipher and not easily guessed.”
Visa's tips on choosing secure passwords include to avoid using words that appear in the dictionary, which can be cracked by hacker tools; try not to use any personal information as it can be inferred or guessed; don't write it down and leave it by your credit card or PC; and try to use random letters, numbers and punctuation.
In a separate announcement, the UK's Chip and PIN organisaton has started a campaign to help people memorise their PINs. With chip and PIN, credit and debit card holders will need to remember their four-digit PIN - the same number they would use to withdraw money at a cash machine - to verify purchases at the point-of-sale.
A guide with tips and memory tricks such as linking numbers with memorable images is available from the chip and PIN website.
More than 41 per cent of UK cardholders had been issued with a chip and PIN card by the end of May 2004 and major retailers including Dixons, Wilkinsons, Asda and Tesco are currently making the upgrade in stores across the country.
Comments
There are 11 comments. Join the discussion
1. James Aldrick
Silver Surfers are probably using things like old CO-OP dividend ID.
2. Neil Thatcher
I feel that I lead a fairly average life as far as my need for passwords and pin numbers goes. A quick tot-up of the number of passwords and pin numbers that I use on a daily basis gave me a total of 12. There are probably another half dozen which I use occasionally
If I follow the advice these must all be a sequence of random numbers and letters, I must not use any one password for more than one log-in and I am not allowed to write these passwords down.
In the unlikely event that I could remember over a dozen random letter and number sequences the chances of me remembering which sequence I should use for which log-in are nil.
Of course people use easy to remember passwords and use the same password for more than one function. A password is of no use if it can't be remembered.
Perhaps your story should not have focussed on people being so stupid that they use passwords that they can actually remember but rather on the underlying problem of the reliance on such a basic technology as passwords for security in a society that now demands secure access for such a variety of activities.
3. Steve Miller
The last comment is spot on - I use a random alpha numeric password with a series of additional characters for each application, but this can be hard to remember. There's no way I could use completely separate passwords for each system. What should be happening far more quickly is the wide spread adoption of biometrics.
4. trudy meow
it's easy to use random alphabets and numbers for passwords. but to have different random passwords (which should be changed once in a while to ensure security) to different accounts, and not noting it down anywhere, i think my memory is just not good enough to handle that.
5. Joost Helberg
what's the percentage of users who refused to answer questions about their password? these are the responsible internet users. anyone cooperating in this investigation is leaking information about their password, silly thing to do.
6. David Hare
If using your cat's name is a security risk, then Trudy should consider a different name, never mind a new password.
7. anonymous
What about car registration numbers?
It doesn't even have to be yours!
8. anonymous
What about USB two factor token authentication for security and password management? Store all your passwords encrypted on the USB eToken and only remember the token password?
9. Col
I use a sentence/limeric/verse of a song etc. and type in the 1st character of each word, thus the password is not a real word, but you do have a way of remembering it easily.
10. anonymous
What do you mean? What have Cats got to do with anything?
11. Martin Lukes
Maybe it's me, but unless most cats are called Tibbles, Puss or God-forbid, Kitty, then knowing someone's cat's name seems to imply the "hunter" is pretty close to the "target" password owner (or in this case, authorised keeper).
"Close" as in well-known to, family of, co-worker with - once again, not the ultra-sophisticated James Bond style gang of international fraudsters we are encouraged to believe are behind this kind of fraud (and in fact, everything else nowadays). If we faced this fact - lots of people you know may be crooks if they feel they can get away with it - then we might get a bit less paranoid about the hidden menace and start being a bit more realistic about the need for security. Like outing them when we catch them doing it and stopping fantasising about criminal networks.