Setting passcodes on mobile devices is the most basic security requirement for any mobile device to be allowed into a work environment. But unfortunately, this frontline of defence is all too often penetrable.
First, let’s look at user error. Forgetting your passwords is the new version of forgetting your house keys or wallet. It’s hard to remember the countless passwords we have for our online accounts across personal accounts, work accounts, finances, etc.. So it’s no wonder some people sacrifice security for ease and write them down on paper, use the same password across all accounts or use a password like ‘password.’
One of the most concerning practices we’ve heard of, however, is storing your passwords in your mobile contacts. Many think that by storing passwords as contacts that it’s “hiding” them.
This tactic sets off big security red flags. Many people do not realise that a broad range of legitimate apps on your phone can access your contacts. These include everything from social networks to health apps with many using them to help find friends or invite new people to the service. While the intentions are good, you might wind up sharing all of your passwords with the developers of the apps on your phone. The end result leaves you unsure of how your passwords are being stored, who has access to them, and if the systems they’re living on are protected from attack.
This summer, we at Lookout performed a hack on the Tesla Model S, in order to demonstrate the need for security best practices with connected devices. Unsurprisingly, passwords were one of the weak points in our hack. We used a brute-force attack, a common approach to try guess repeatedly for the password and then check them against an available cryptographic hash of the password, in order to crack the Tesla’s weak passwords. Once we were able to get through passwords, we were able to access and control much more in the car.
Of course, no system is perfectly secure and any time you store data online, you run the risk of losing that data. However, the benefit of storing your passwords in a purpose-built managed service such as 1Password or LastPass hugely outweighs the risk of storing them in your contacts.
Below are some tips on keeping your data safe and ensuring your passwords are up to this challenge:
Specific to mobile phones:
For passwords:
Gert-Jan Schenk is vice president of EMEA at Lookout
Are you a security pro? Try our quiz!
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…
View Comments
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.
The article's most important advice about passwords is to make them long: The single most important factor for password strength is length. Of course, there's more to it, a password of a hundred a's or 1's or whatever is not very good, but without getting into the mathematics of entropy, just make the password long, at least 20 characters, more is better, and as noted, somewhat unpredictable or uncommon, rather than a well known phrase.
As the comment by Hitoshi notes, recalling and associating them is a real problem. Use one really long strong password for a password manager that you manage, locally, NOT hosted by some online service (do you even know who the people are running that website? let alone how honest or competent they are? or if they will be acquired by some 'investor'?).