Is Your Password Up To The Challenge?

Setting passcodes on mobile devices is the most basic security requirement for any mobile device to be allowed into a work environment. But unfortunately, this frontline of defence is all too often penetrable.

First, let’s look at user error. Forgetting your passwords is the new version of forgetting your house keys or wallet. It’s hard to remember the countless passwords we have for our online accounts across personal accounts, work accounts, finances, etc.. So it’s no wonder some people sacrifice security for ease and write them down on paper, use the same password across all accounts or use a password like ‘password.’

One of the most concerning practices we’ve heard of, however, is storing your passwords in your mobile contacts. Many think that by storing passwords as contacts that it’s “hiding” them.

This tactic sets off big security red flags. Many people do not realise that a broad range of legitimate apps on your phone can access your contacts. These include everything from social networks to health apps with many using them to help find friends or invite new people to the service. While the intentions are good, you might wind up sharing all of your passwords with the developers of the apps on your phone. The end result leaves you unsure of how your passwords are being stored, who has access to them, and if the systems they’re living on are protected from attack.

It would be wrong to just point to ‘user error.’ The cards are often stacked high against the individual or the company, as passwords are often the gateway target for a tenacious attacker.

This summer, we at Lookout performed a hack on the Tesla Model S, in order to demonstrate the need for security best practices with connected devices. Unsurprisingly, passwords were one of the weak points in our hack. We used a brute-force attack, a common approach to try guess repeatedly for the password and then check them against an available cryptographic hash of the password, in order to crack the Tesla’s weak passwords. Once we were able to get through passwords, we were able to access and control much more in the car.

Of course, no system is perfectly secure and any time you store data online, you run the risk of losing that data. However, the benefit of storing your passwords in a purpose-built managed service such as 1Password or LastPass hugely outweighs the risk of storing them in your contacts.

Below are some tips on keeping your data safe and ensuring your passwords are up to this challenge:

Specific to mobile phones:

  • Simple but necessary – make sure your phone has a password-protected lock-screen. Using an alphanumeric password is the strongest approach on Android, but numeric PINs are better than nothing
  • Say yes to two-step authentication if it’s offered. Many mobile banking websites or apps will send a code to your mobile phone that is then entered when you access the account or app
  • Set your phone to automatically lock if it is idle for a few minutes
  • Encrypt the data on your phone so that it’s protected from snooping when powered off. iOS devices automatically encrypt and Android users can configure it in Settings

For passwords:

  • Use different email addresses for different accounts. Have a separate “junk” email address for spam or free sites which require a login
  • Don’t use dictionary terms unless you are stringing them together in some sort of unlikely phrase E.g. JennaSurfsHamBoatsForChristmas is much better than jenna123
  • The longer and more uncertain/uncommon the combination of letters, numbers and symbols, the more computational power needed to crack the password. Therefore, the most secure passwords are random but don’t have to be unmemorable
  • Thieves already account for simple letter / number substitutions, like using 3 instead of E, or $ instead of S. So P@$$w0rd is really no safer than writing it in the normal way

Gert-Jan Schenk is vice president of EMEA at Lookout

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

View Comments

  • Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.

  • The article's most important advice about passwords is to make them long: The single most important factor for password strength is length. Of course, there's more to it, a password of a hundred a's or 1's or whatever is not very good, but without getting into the mathematics of entropy, just make the password long, at least 20 characters, more is better, and as noted, somewhat unpredictable or uncommon, rather than a well known phrase.

    As the comment by Hitoshi notes, recalling and associating them is a real problem. Use one really long strong password for a password manager that you manage, locally, NOT hosted by some online service (do you even know who the people are running that website? let alone how honest or competent they are? or if they will be acquired by some 'investor'?).

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago