Is Your Password Up To The Challenge?

Setting passcodes on mobile devices is the most basic security requirement for any mobile device to be allowed into a work environment. But unfortunately, this frontline of defence is all too often penetrable.

First, let’s look at user error. Forgetting your passwords is the new version of forgetting your house keys or wallet. It’s hard to remember the countless passwords we have for our online accounts across personal accounts, work accounts, finances, etc.. So it’s no wonder some people sacrifice security for ease and write them down on paper, use the same password across all accounts or use a password like ‘password.’

One of the most concerning practices we’ve heard of, however, is storing your passwords in your mobile contacts. Many think that by storing passwords as contacts that it’s “hiding” them.

This tactic sets off big security red flags. Many people do not realise that a broad range of legitimate apps on your phone can access your contacts. These include everything from social networks to health apps with many using them to help find friends or invite new people to the service. While the intentions are good, you might wind up sharing all of your passwords with the developers of the apps on your phone. The end result leaves you unsure of how your passwords are being stored, who has access to them, and if the systems they’re living on are protected from attack.

It would be wrong to just point to ‘user error.’ The cards are often stacked high against the individual or the company, as passwords are often the gateway target for a tenacious attacker.

This summer, we at Lookout performed a hack on the Tesla Model S, in order to demonstrate the need for security best practices with connected devices. Unsurprisingly, passwords were one of the weak points in our hack. We used a brute-force attack, a common approach to try guess repeatedly for the password and then check them against an available cryptographic hash of the password, in order to crack the Tesla’s weak passwords. Once we were able to get through passwords, we were able to access and control much more in the car.

Of course, no system is perfectly secure and any time you store data online, you run the risk of losing that data. However, the benefit of storing your passwords in a purpose-built managed service such as 1Password or LastPass hugely outweighs the risk of storing them in your contacts.

Below are some tips on keeping your data safe and ensuring your passwords are up to this challenge:

Specific to mobile phones:

• Simple but necessary – make sure your phone has a password-protected lock-screen. Using an alphanumeric password is the strongest approach on Android, but numeric PINs are better than nothing
• Say yes to two-step authentication if it’s offered. Many mobile banking websites or apps will send a code to your mobile phone that is then entered when you access the account or app
• Set your phone to automatically lock if it is idle for a few minutes
• Encrypt the data on your phone so that it’s protected from snooping when powered off. iOS devices automatically encrypt and Android users can configure it in Settings

For passwords:

• Use different email addresses for different accounts. Have a separate “junk” email address for spam or free sites which require a login
• Don’t use dictionary terms unless you are stringing them together in some sort of unlikely phrase E.g. JennaSurfsHamBoatsForChristmas is much better than jenna123
• The longer and more uncertain/uncommon the combination of letters, numbers and symbols, the more computational power needed to crack the password. Therefore, the most secure passwords are random but don’t have to be unmemorable
• Thieves already account for simple letter / number substitutions, like using 3 instead of E, or $ instead of S. So P@$$w0rd is really no safer than writing it in the normal way

Gert-Jan Schenk is vice president of EMEA at Lookout

Are you a security pro? Try our quiz!