I know your password

The Anna Raccoon Archives

by SadButMadLad on July 5, 2011

From http://www.etsy.com/listing/50118250/25-numbered-push-pins-pink-with-black

Odds are that I can guess your PIN in ten attempts.

It will be one of the following

  1. “1234” – I can’t be bothered to think about my password
  2. “0000” – I can’t even be bothered to count
  3. “2580” – I can go down the key pad
  4. “1111” – I can count to one!
  5. “5555” – I’m very clever and can count to 5
  6. “5683” – I do txt spk. (work it out)
  7. “0852” – I do stuff vertically up
  8. “2222” – I can’t be bothered to move my fingers when I press keys
  9. “1212” – Testing testing 12 12
  10. “1998” – Yeah, I’m about 13 years old

Out of a sample of over 200,000 PIN numbers it was found that nearly 9000 used the number 1234 for their PIN number for the application on the iPhone that gathered the data.

Now there are issues about the secret gathering of personal information but that’s a different post. Also bear in mind that this was for an iPhone app, not a banking app nor an ATM PIN. So the users might have chosen simple numbers because they didn’t feel the need to secure the app. But there probably is a grain of truth in the general trend for the top ten PINs as the author of the app tried to make his password screen look like the iPhone’s own password screen.

Common numbers

When you take into account that certain ranges of numbers occurred regularly in the top 50 you can easily build the impression that many people don’t think much about their PIN numbers. The most common range being 1990-1999, followed by 1980-1989 and 2010-2011, 1970-1979 and then 2000-2009. From this you can see that given the median age for iPhone users that they often use their birth year as their PIN number. If they are older surfers then they either use their children’s which explains the 2000-2011 range or their own.

So if you find a lost mobile phone, then given that the 15% of all PINs are represented by 10 different numbers you’ve got a 1 in 7 chance of breaking into the phone. No wonder it was so easy for certain private investigators hired by journalists to break into the voice mail accounts of certain celebs.

Now if you do use one of the above PINs don’t worry too much. So long as you don’t use the same PIN for every account, website, card then you’re not going to get your accounts cleared out.

Bear in mind that if you use the same password on Facebook and to log into your hobby forum and to access your work account, it won’t need much background info to work out your password. The advice here is to use a different password for different parts of your life; your financial part, your personal family part, your hobbies and other interests part, your work part, etc. For certain aspects of your online life use a unique password only used on that site. For instance your GMail password should be unique because the information in your emails would be a gold mine to someone who got in.

Create a complex password

To make a really hard password to guess, a suggestion would be to use the following guide.

Start with a sentence or two (about 10 words in total). Make it something meaningful to you. As a starter for ten, I’ll use the example “Long and complex passwords are safest. I keep mine safe.”

Turn the sentences into a row of letters using the first letter of each word. The phrase becomes “lacpasikms”. At this stage this password should be usable on many unimportant websites.

Add a bit of complexity by changing the case of some of the letters. Either make the letters A-J lower and the rest upper, or make odd letters (a,c,d, etc.) lower and the rest upper. Up to you. You can use this level of password on accounts like your work one.

Some sites insist on numbers and punctuation. Add the digits of a meaningful number and punctuation symbols to either end of the password or in the middle. Your password is now be “lACpAs56IKMs”. This should be secure enough for your banking apps.

Final advice

One final word of advice. Keep your passwords on a piece of paper. Yep, that sounds counter productive, but so long as the passwords are encoded in your own secret way then you can keep track of the umpteen dozens of passwords modern life requires you to have.

Don’t give your password out to anyone, no bank will ever ask for it. If you forget your password and the website lets you ask for it, then if it doesn’t give you a new one don’t trust it because it means it’s stored your password “in the clear” rather than a one way code based on your password.

Finally recognise phishing attempts and learn to avoid them.

{ 20 comments }


Peter MacFarlane
July 6, 2011 at 12:40

Regarding celebrities’ phonemail, and also – especially – Milly Dowler’s,
I’d put reasonable money on there not being a phonemail PIN at all.


Most providers don’t make it a requirement, most users don’t understand the
need, and certainly 13 year-olds have no interest whatever in security and
regard such things as the merest nuisance.


Michael July 5, 2011 at 20:29

I use password safe on a USB key (backed up, to a secure location of
course).


http://passwordsafe.sourceforge.net/


Fully encrypted, it can also generate you a strong password, and copy it to
your clipboard. Consequently I don’t have a clue what most of my passwords
are.


Joe Public July 5, 2011 at 19:30

One memorable hard-to-crack password is your old historic address. With
correct punctuation.


“3 Woodbine Street, Oakham, Rutland.” is a good combination of letters
(upper & lower case), numbers, and characters. But most important, doesn’t
need to be written down.


alan July 5, 2011 at 19:06

Re – Picking a sentence for your password.


A useful tip in being able to remember the sentence, is think back the last
couple of days to something that was memorable. For example


Someone passed wind on the train and it was a real stinker.
The
daffodils came out early this year and the garden looked wonderful.
I tried
to give the cat a belly rub and she scratched my arm to pieces.


Livewire July 5, 2011 at 12:20

They’ll never guess the words I use
I think in Klingon when I choose


They may use geeks to try & hack
But uber-geeks will beat them
back


The bathlev swings to strike them down
Then gorge on garcht & wear
the crown


Matt
Wardman July 5, 2011 at 11:16

IMO there’s no approach that will be foolproof.


One idea: don’t give real birthdays and identity details to the likes of
Facebook.


Personally I like cash.



JuliaM July 5,
2011 at 12:12

Better idea: don’t use Facebook!



Matt
Wardman July 5, 2011 at 12:27

Best idea.


Don’t use the internet, a ‘puter, or a phone !!


Angry
Exile July 5, 2011 at 11:03

The best advice I’ve come across regarding computer passwords lately is
that as a rule of thumb if you can remember the password then it’s not secure
enough, especially if you’re using it in more than one place. The article I
saw that in recommended using password management/generation software to make
lots of really random, long and un-memorisable passwords with mixed cases and
non alphanumerics, and creating one single longish, not quite random password
that you can remember to access all the others. Unfortunately it also had a go
at a lot of banking and commercial websites which don’t let users set long
passwords, mix cases or use non alphanumeric characters – facepalm.


This comment will not self destruct in ten seconds.



SadButMadLad July 5, 2011 at 11:09

The other thing with banking sites is their continued reliance on mothers
maiden name and other similar info as a “secret” questions. Given the rise
in popularity of genealogy such details are very easily worked out.



Angry
Exile July 5, 2011 at 16:48

Yeah, which is why I tend to lie about such things and say things like
my mother’s maiden name was Conclusion and my first pet was called
Agamemnon. The trouble is that you have to remember which bit of bullshit
you’ve used for what site. I need a bullshit security question plug-in for
my password manager.



Trying to keep
up July 5, 2011 at 18:12

‘The trouble is that you have to remember which bit of bullshit
you’ve used for what site’


Not just me then!!!


boulay July 5, 2011 at 10:15

i don’t understand why UK cards do not have 6 figure pins like Swiss cards.
i do not know exactly how many times harder this makes it to crack but it is
substantial.



alan July 5, 2011 at 18:36

The most common way for a bank card to be hacked is not by cracking the
pin no, but by grabbing the pin number. 4 digits Vs 6 digits makes little
difference.


a) covert cameras at the atm keypad & an atm skimmer installed where
the card is inserted
b) fake atm machines
c) compromised chip &
pin machines.
– A dodgy retailer using a hacked chip&pin machine

A couple of years ago a batch of chip&pin machines where compromised at
the manufacturing plant.
d) social engineering. A high proportion of
people will voluntarily give their pin no to a complete stranger. For
example – marketing survey on the street, or phone call “Hi, this is your
bank we are doing a security check on your account can you confirm what your
pin is please”
e) gun point/knife point


You are only allowed a limited number of pin no guesses before an ATM
machine eats your card, or the card is blocked from chip&pin machines.
An attacker, after getting your card details, needs to guess your pin no in
a limited no of tries and will try the obvious; phone pin no, dob, 1234 etc.
For a bank pin no, only use it for your bank card, and dont make it obvious.
(list of pins in this blog post, dob etc).


Whereas a common method for guessing website passwords etc is brute force
(cracking) where billions of different passwords are guessed. Using brute
force for a six digit pin no takes about 5 minutes, and perhaps 2 minutes
for a 4 digit pin no. I havent heard of a bank pin no being brute force
attacked, which is why 4 digit pin no’s are good enough.


Hope that helps!


woodsy42 July 5,
2011 at 09:51

This is good advice on passwords, but out of interest how do you reconcile
such security with a bank pin that uses only 4 numbers – no upper/lower or
punctuation and only a choice of 10 symbols for each of the 4 numbers. Banks
use this as the ID checkat the counter and with i tand the card one can walk
into any branch and empty the account.



Trying to keep
up July 5, 2011 at 18:07

“…checkat the counter and with i tand …”


Is that another example of txt spk?


ivan July 5, 2011 at 09:44

Finally recognise phishing attempts and learn to avoid them.
I
find it quite amusing because my e-mail program is set to only read text and
reject html formatting so I see things like (your bank ) which exposes the
scam. The other thing that I find interesting is the number of compromised
that are used by the scammers. One site I contacted found several thousand
sets of details tucked away in an obscure directory (folder) on their
server.



ivan July 5, 2011 at 09:49

In regards to the above it just shows how things can be hidden with
html.


The (your bank) when expanded reads ({//scam.com/hidden}your bank)


Single
Acts of Tyranny July 5, 2011 at
09:20

You have worked out txt spk passwords?


Oh 3825 !


JW July 5, 2011 at 09:14

“One final word of advice. Keep your passwords on a piece of paper. Yep,
that sounds counter productive, but so long as the passwords are encoded in
your own secret way then you can keep track of the umpteen dozens of passwords
modern life requires you to have.”


Or purchase an encryption software application for your Smartphone and keep
all the passwords on it. Providing it is backed up to a Pc you can always hope
to recover the information when you lose the phone, even if the replacement
costs will be high. Unless of course both disappear in a Burglary.


In otherwords you end up spending more and more time, effort and money
protecting your access to computers that were supposed to save you time,
effort and er, money?


I sometimes feel as though the computer age is more a curse than a
blessing, am I alone in that?


Comments are closed.