Comment: How secure are your passwords?

The number of online accounts we have today makes it very difficult to remember a unique password for each
The number of online accounts we have today makes it very difficult to remember a unique password for each
David Emm, Kaspersky Lab
David Emm, Kaspersky Lab

Notwithstanding the technical nature of today’s malware, cybercriminals often start by trying to exploit human weaknesses as a way of spreading their programmes. This should come as no surprise. Humans are typically the weakest link in any security system.

Securing a house is one example: you can have the finest burglar alarm in the world, but if you don’t set it, then it offers no protection at all. The same is true for online security.

Cybercriminals continue to make extensive use of social engineering (i.e., they try and trick people into doing something they shouldn’t do). Phishing scams, for example, are designed to lure people to a fake website to disclose their personal information, such as usernames, passwords, PINs and any other information that cybercriminals can use.

The classic phishing scam takes the form of a speculative email or IM spammed to millions of addresses in the hope that enough people will fall for the scam and click on the link. Just like pickpockets, cybercriminals follow the crowds: they target the many social networking sites that increasing numbers of us flock to these days.

One of the problems with social engineering-based attacks is that they form a moving target; that is, successive scams never look quite the same. This makes it difficult for individuals to know what’s safe and what’s unsafe. However, people aren’t only susceptible due to a lack of awareness. Sometimes the lure of free audio or video content – or naked pictures of the latest celebrity – can entice people into clicking on a link that should simply be ignored.

Sometimes people cut corners to make their lives easier and simply don’t understand the security implications. This is true of passwords. More and more business is being done online, so it’s not uncommon to have 10, 20 or more online accounts. And this makes it very difficult to remember (or even choose) a unique password for each account.

The temptation is to use the same password for each account, or to use something like a child’s, spouse’s, or location’s name that has personal significance and is therefore easy to remember. Another common approach is to recycle passwords, perhaps using ‘myname1’, ‘myname2’, ‘myname3’ and so on for successive accounts.

Using any of these approaches increases the likelihood of a cybercriminal cracking the password. It also means that if one account is compromised, a cybercriminal may get easy access to other accounts. Unfortunately, this risk isn’t obvious to non-technical staff or members of the general public. And even when they’re made aware of the potential danger, they don’t see a feasible alternative, since they can’t possibly remember all of those passwords.

So how can you create a secure password that’s easy to remember but distinct from all the others you use?

One solution is to use the name of the online resource as the core of your password, then mix it up by applying the same four-step rule (or five, or six, depending on what you’re comfortable with). This may involve swapping certain characters, adding numbers, mixing uppercase and lowercase characters or adding non-alpha-numeric characters. This will create a unique password that’s hard to guess, but all you have to remember is the same four-step rule.

Let’s show how this might work by taking three fictional online resources:

We would then use ‘myshop’, ‘mybank’ and ‘mysocnet’ as the core of each password.

Let’s use the following as our simple four-step method:

  1. Capitalise the fourth character.
  2. Move the second to last character to the front.
  3. Add a number 1 after the second character.
  4. Add a semi-colon to the end.

This would result in the following passwords for each of the aforementioned fictional accounts:


They’re all unique. None of them is in the dictionary. They all mix upper- and lowercase characters, numeric characters and non-alpha-numeric characters. But all you have to do is remember is the same four-step rule each time.

An alternative solution is to start with a memorable phrase, let's say:

The quick brown fox jumps over the lazy dog

Then use the initial characters of each word to create the core of your password, in this case 'tqbfjotld'. Subsequently apply a similar four-step rule to mix things up:

  1. Capitalise the second character.
  2. Add a number 2 after the third character.
  3. Add a comma to the beginning.
  4. Put the last character of the online resource at the beginning.

For the three fictional online accounts previously provided, this would result in the following passwords:


Once again, the same four-step rule generates a unique password for each online account.

Unfortunately, cybercrime is here to stay. It’s both a product of the internet age and part of the overall crime landscape. So we can’t hope simply to ‘win the war’. Rather, we need to find ways to mitigate the risks associated with going online.

It is clear that legislation, law enforcement and technology all have a part to play in this. However, since many of today’s cyber attacks target human fallibility, it’s essential to find ways to patch these human vulnerabilities just as we strive to secure computing devices. The use of sensible passwords is a key part of this patching process.

David Emm works as a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab. Emm has written numerous articles and white papers, provides media comment on the latest malware issues, and delivers presentations and training on malware-related matters. He has worked in the security industry for more than 20 years, including the last six at Kaspersky Lab. Before joining Kaspersky Lab, Emm worked at McAfee and Dr Solomon's Software.

What’s hot on Infosecurity Magazine?