Text size:

  • Small
  • Normal
  • Large
Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.
Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.

Better passwords the key to safer cybersecurity

Once the preserve of spies and their masters, cryptology – the science of keeping secrets – now affects us all.

Once the preserve of spies and their masters, cryptology – the science of keeping secrets – now affects us all.

Hardly a week goes by without news that one government has been spying on another, or that hackers have broken into a website and made off with client data.

Earlier this month the crowdfunding site Kickstarter became the latest high-profile victim of hacking. Customer information including usernames, email and postal addresses were stolen.

The company insists no credit card data was accessed, and that the security breach has been rectified. Even so, it has advised its five million-plus users to change their passwords “as a precaution”.

All of which prompts the question: why can’t these supposedly tech-savvy companies keep our secrets secret?

Bluntly, the fault largely lies not with them, but with us. Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.

Last month, online security company SplashData announced that “123456” now topped its annual Worst Password list – having beaten that long-standing champ “password” into second place.

It’s hardly a secret why such pathetic passwords are so common: most of us just can’t be bothered to devise and memorise individual, secure passwords for all the sites we access.

This highlights one of the enduring challenges of real-life cryptology: the compromise between security and convenience. And it’s one that a UAE-based cryptologist is trying to tackle. Dr Ziyad Al Salloum, of ZSS Research, Ras Al Khaimah, thinks the answer lies in pictures rather than words.

We all know we’re supposed to pick passwords made from long, complex character strings, such as 45Gh6%7hUklR9#3. With more permutations than there are particles in the universe, such a password is all but impossible to break.

But such passwords are also incredibly hard for humans to remember, and even cryptologists accept that for that reason they are never going to be widely used.

That’s led them to turn to a neat mathematical trick to make even “123456” a bit harder to break.

In school maths, we learn how to “undo” the operation of multiplication by using the reverse process of division. In the mid-1970s, cryptologists began investigating a means of keeping passwords secret using operations that are very hard to reverse.

They focused on so-called “hash functions” – ways of scrambling long strings of characters that can’t easily be reversed.

The idea was that companies would then store not the client passwords themselves, but only the scrambled versions.

Every time a user typed in a password, it would be scrambled according to the mathematical recipe and the outcome checked against the list of scrambled versions held by the company, which would have no idea what the original password actually is.

That solves the problem of both company insiders or outside hackers getting access to the original passwords – as the hashing process is very hard to undo.

Or at least, that was the theory. Like most clever ideas in cryptology, however, it quickly fell victim to the ingenuity of code-breakers. They found a neat trick for undermining the hashing process, called a dictionary attack.

This involves compiling a “dictionary” of the hashed version of likely passwords, and looking for these in the stolen records. As the same characters always produce the same hashed versions, the dictionary would then reveal the original password.

The cryptologists hit back by adding a long random number to every password before it gets hashed. Known as “salting”, this hides the connection between the password and the hashed version, preventing dictionary attacks.

This is the basic method used by many commercial companies – including Kickstarter – to keep client passwords safe.

Even with this extra security, clients using weak passwords are still much more vulnerable than others. That’s because hackers start with simple passwords, and then focus on removing the random number “salt” to see if they’re right.

So what can be done to get everyone to use better passwords? Making complex ones more memorable would be a start.

And that’s the approach being taken by Dr Al Salloum. He is developing a source of unguessable passwords based on the fact that we remember places far better than random character strings.

The idea is very simple: instead of picking passwords, we pick a place in the world that means something to us from an online atlas similar to Google Maps. Divided up into a grid of hundreds of billions of squares, this “password atlas” allows the location of our special place to be turned into a very long number-string. This can then be added to a long random number “salt”, and the combination converted via a hash function into a very secure password string. All we have to remember is the location – a building, say, or road junction – that we chose.

Describing his method in the current issue of the International Journal of Signal and Imaging Systems Engineering, Dr Al Salloum says it’s far more resistant to standard hacking techniques used to turn hash strings back into passwords.

Perhaps so, but it’s unclear whether it will stop people swapping their guessable passwords like “123456” for images of guessable locations like the Eiffel Tower or the Burj Khalifa.

And even if it does, you can be sure the hackers will find a way around it eventually. Cryptologists know they’re locked in a Darwinian war for supremacy that’s not going to stop any time soon.

In the meantime, there’s a trick anyone can use to create better passwords: use pass-phrases instead.

Think of a simple phrase – such as “Brad Pitt was born in Oklahoma in 1963” – and take the initials of each word, plus the number: “BPwbiOi1963”.

The result is not utterly unbreakable, but it’s easy to remember – and it’ll keep hackers out of your account for longer than it takes to type “123456”.

Robert Matthews is visiting reader in science at Aston University, Birmingham

Back to the top

More articles


Editor's Picks

 Marina Square apartments Reem Island: Q1 2% rise. Studio - Dh65-68,000. 1BR - Dh75-95,000. 2BR - Dh110-145,000. 3BR - Dh170-190,000. Q1 2013-Q1 2014 no change. Sammy Dallal / The National

In pictures: Where Abu Dhabi rents have risen and fallen, Q1 2014

Find out how rental prices in the prime locations in Abu Dhabi have altered during the first three months of the year and the current rates you will pay according to data provided by Asteco.

 A model of the plans for Saadiyat Island’s Cultural District, which was on display at the Global Cityscape exhibition at Dubai International Convention and Exhibition Centre last year. Ali Haider / EPA

Building the future on Abu Dhabi’s Saadiyat Island

Nick Leech meets Jassim Al Hammadi, the engineer charged with providing the services that will make the Saadiyat Cultural District tick.

 Business class seats inside the Emirates Airbus A380. Chip East / Reuters

In it for the long haul: flying 16 hours with Emirates to LA

Our executive travel reviewer tries out the business class offering on Emirates' longest A380 route - and finds time passing quickly.

 Ashish Nehra of Chennai Super Kings bowls to Kings XI Punjab at Zayed Cricket Stadium in Abu Dhabi. Ravindranath K / The National

Hard-hitting Chennai not deterred by opening loss in IPL

But some questions remain about the team's attack ahead of Monday's match against Delhi Daredevils in Abu Dhabi, writes Osman Samiuddin.

 From left: Alex Ritman, his favorite waiter and friend Andy Tillett at Baithal Ravi in 2009. Courtesy Alex Ritman

Lamenting Bur Dubai’s Baithal Ravi Restaurant

When I heard that a fire had ripped through the restaurant known as Ravis in the Bur Dubai district of Dubai, my outburst was met with echoed monosyllabic despair among numerous friends on social media.

 Screen shot from Vin Deisel's facebook page of he and Michelle Rodriguez in Abu Dhabi for the filming of Fast & Furious 7. April 2014

Fast & Furious in Abu Dhabi, a social media frenzy

Fast & Furious 7 wraps up an eventful and much-anticipated week of filming in the capital. Let's take a look at what went on via the key players' social media, while they were enjoying the delights of the desert.

Events

To add your event to The National listings, click here

Get the most from The National