Oxthink

Everything we do seems to require a password. They are the gateway to the online world. And yet, given that they are also the access points for bank accounts, personal details, and private correspondence, we probably don’t treat passwords with the seriousness they deserve.

Most people’s choice of password is determined by how easily they can remember it, rather than by the level of security it provides. But, in terms of priorities, that’s not really what passwords are about. When they’re used like this, or viewed just as an obstructive step to access a website, they’re hardly serving as the security measure they are primarily designed to be.

The problem with easy-to-remember passwords is that if they’re easy for a person to remember, they probably have some fairly obvious association with that person: the names of their children, dates of birth, or the address where they live or work. Therefore, if someone wanted to crack their password, it would only take a little research and a few educated guesses.

Too often, passwords are predictable and relatively easy to work out.

When we’re asked to put a number in the password, most of us probably use the same number. When we’re asked to put a special character in the password, most of us probably use the same special character.

On the whole, we’re just not very creative or imaginative.

The fact that many organisations have slightly different permissible options for selecting a password (certain things we have to include; certain things which are inadmissible) means that we will be obliged to vary our passwords slightly. That’s great for improving security, as it stops us from using the same password every time, but it also means we just won’t be able to remember them all. So what do we do? We write them in a “password book” that we keep by the computer, more often than not.

Again, it’s that desire for ease rather than any thoughts of security.

The current crime trend of thieves breaking into a house to steal a set of car keys so that they can take a car without damaging it will one day be surpassed by thieves breaking into a house to steal “password books”. That could be far more useful, far more profitable.

But what else can we do? If we don’t write it down, then we’ll forget it.

Sometimes, when visiting a new site, we are asked for a password and enter our choice. How many times have you then said to yourself, “I’ll remember that; I don’t need to write it down”? How many times, on later occasions, have you then had to have recourse to the “Forgotten Password” button?

On a more positive side, even if our password is guessable, given that there are so many people in the world and that, in all likelihood, there will be both more attractive and more lucrative opportunities, the chances of us being targeted by a hacker are slim. And secondly, there probably aren’t that many cyber-criminals out there. It’s a criminal activity that has certain barriers to entry – the need for a computer and the need for some basic IT know-how.

That will deter many start-up hackers – shoplifting is a much easier crime to commit.

When we start thinking about the quality of our password, we begin to question its security. How secure is it? Could somebody work it out? Suddenly, we are filled with doubt about it, and we will feel the need to change it.

In terms of password security, we should ensure we use different passwords for different sites. It’s a case of damage limitation. If one of our passwords is compromised, then its impact is limited. It’s a problem, but it’s not necessarily a major problem. It doesn’t bring down our entire online presence.

Ideally, we should also change our passwords regularly. Hmmm… that’s something that probably doesn’t happen unless we work in an organisation that insists on periodic changes to passwords.

Like most crimes, we tend to take them seriously only when we are victims. Always after the horse has bolted! Too often, we get by on an “it won’t happen to me” attitude. Instead, we should be aware of the risk and ensure we have effective password security in place – a secure password rather than one that is just easy to remember.