/* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

Passwords you should NOT USE on physically insecure devices - PIDs

This guidance is for anyone who stores passwords but in particular when they use a password on a device which could be accessed by a thief. Also see Passwords - best practices as that page covers the use of passwords on web sites.

Any device (hardware or software) which protects access to it's contents by use of a password has to have both (#1) the data to check your password against AND (#2) the algorithm by which it does that check. If a thief can even momentarily make a copy of #1 you could be seriously compromised because #2 is often publically known and in some cases easy to crack! Even worse is that is if they have copied rather than stolen your device then you will probably be unaware you have been compromised and the thief will have plenty of time to create a plan to extract the absolute maximum cash and other assets from every aspect of your life!

This means that you must never use passwords on these devices that are common in any way with other passwords - especially those which are protecting more important assets such as your bank account, credit card or financial investments.

  • The most important aspect of managing passwords is to treat them in categories according to their value or risk/consequences to you - the lowest level can be throwaway in almost all respects and that is that every level is distinct from all others and cannot act as a 'set of ladders' for a thief to ascend. If you use the same or similar passwords for banking as you do for small retail stores on the web then you have given the thief an escalator when you thought you were playing "Snakes and Ladders".
  • PIDs are very varied in all respects so it makes sense to highlight the characteristics of some popular specifics as well as categories of device:
    • PCs (inc. Laptops!) running Windows XP - a thief can normally discover passwords up to 14 characters in length within 5-20 minutes by booting your PC with a downloadable CD

      The above step is not usually necessary as most home PCs have no password for the accounts and the latter are all 'Admin' users which leaves the rest of XP widely exposed too.

    • When logged-on to Windows XP passwords can be displayed and downloaded to a pen drive in less than 10 seconds if the thief has automated the process - 30-45 seconds if they have to do so manually.
    • Mobile 'phones
    • Routers are the devices which link your PCs to the Broadband cable (BT or Virgin) and nowadays are almost all Wireless enabled. They actualy have THREE passwords stored inside them and it is important that they are all set and that they are each unique, difficult to hack and available to those people who are authorised - e.g. WiFi passwords which might be used by visiting relatives.
    • Wr
    • Wr
    • Wr
  • Wr
  • Wr
  • Wr
  • Wr
  • Wr
    • where there is more than one (and unrelated!) sentence - if you need to make a record a reminder then record them separately and ideally on separate media / location - paper in your fire-safe at home combined with an obfuscated text on your mobile would be OK for a low-medium risk password. Add a third location (+ maybe media) for high risk passwords.
    • which very, very few people would know - obviously NOT lyrics, quotations etc.. Think laterally - a sentence could be WHAT you WANTED to SAY to your BOSS at the Christmas party LAST YEAR! Don't even THINK of using what you want to say to them THIS YEAR because it will have gone through your mind dozens of time before then and 'accidents do happen'
    • ideally each sentence would not exist anywhere on the Internet! However, when checking this (using "Google with quotes") you must not research more than one sentence at the same PC and certainly not in the same week as your search query strings are logged and it is just conceivable that a hacker could target this data as a source for a new dictionary!
  • To add some complexity AND length to the above you also need a SIMPE set of rules - ONE FOR EACH LEVEL and VERY DISTINCT which insert odd characters into the password and IDEALLY make them broadly unique to the web site you are visiting.

    But as stated above, for the latest best practice on this topic visit: http://bb4t.co.uk/Page/bestppp

This page © Business before Technology 2008-9 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 22nd May 2009. Please use the Contact us page to suggest any additions or revisions.

Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
23May15: Suppress Msg2U when cannot analyse/react to them 0 or 0 or SoLL /home/sa4ssu/public_html/cgi-bin/LLsHere.

News and Information

Your access to this site:

We will attempt to give you perfect access to this site but this may be impaired by the fact that as far as we can tell you are either:
  • Accessing the Internet from behind a FireWall (Personal or Company) which is disabling cookies OR
  • You have made a technical change to your browser in that you have disabled cookies - perhaps only for this site.

If this was unintentional and you can enable temporary (session) cookies there is a brief description at the bottom of the page. If you don't understand a word of this gobble-D-guk or you don't want to!: leave everything as-is and report any problems via the `LinkTSNo_Cookie_pagenoc1'>Technical feedback facility.

For the technical user

We attempt to set 2 temporary cookies at each interaction you have with this site. The names and typical values are:

NaviSessID=12345 and NaviLastID=erTh1J68SnkK0

The fact they are temporary means that when you close down your browser they will simply disappear. For the paranoic - they are not even written to the cookie folder.

The purpose of these two cookies is to allow you to navigate our site across what is a "connectionless" Internet with security and privacy appropriate to the content and usage of the site.

This notice will disappear from the end of the site Web pages when you have interacted with the site 3-4 times - more than once just in case you miss it at the end of the Home Page.

The only downside that we cannot avoid is caused by us putting the same information in the "Location" or "Address" area towards the top of your browser. You will notice that even though you visit pages more than once that your browser will not recognise them as "visited" because this address changes with each interaction.

Changing browser settings
  • NetScape: Edit->Preferences & select the Advanced Tab (not one of the sub-options). You only need to set cookies that are sent back to their own site but we would recommend that you do not select the 'prompt' option as this will cause an irritating pop-up at each interaction.

  • MicroSoft IE: click on Tools->Internet Options & select Security Tab.

    You could select Local Internet, then Advanced and then add our site address. This assumes that you have got cookies enabled for that zone.

    Another option would be change the "Custom level" for the zone that we are currently in - the Setting to be changed is called "Allow per-session cookies (not stored)" - select Enable then OK)

News and Information