/* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

Passwords you should NOT USE on physically insecure devices - PIDs

This guidance is for anyone who stores passwords but in particular when they use a password on a device which could be accessed by a thief. Also see Passwords - best practices as that page covers the use of passwords on web sites.

Any device (hardware or software) which protects access to it's contents by use of a password has to have both (#1) the data to check your password against AND (#2) the algorithm by which it does that check. If a thief can even momentarily make a copy of #1 you could be seriously compromised because #2 is often publically known and in some cases easy to crack! Even worse is that is if they have copied rather than stolen your device then you will probably be unaware you have been compromised and the thief will have plenty of time to create a plan to extract the absolute maximum cash and other assets from every aspect of your life!

This means that you must never use passwords on these devices that are common in any way with other passwords - especially those which are protecting more important assets such as your bank account, credit card or financial investments.

  • The most important aspect of managing passwords is to treat them in categories according to their value or risk/consequences to you - the lowest level can be throwaway in almost all respects and that is that every level is distinct from all others and cannot act as a 'set of ladders' for a thief to ascend. If you use the same or similar passwords for banking as you do for small retail stores on the web then you have given the thief an escalator when you thought you were playing "Snakes and Ladders".
  • PIDs are very varied in all respects so it makes sense to highlight the characteristics of some popular specifics as well as categories of device:
    • PCs (inc. Laptops!) running Windows XP - a thief can normally discover passwords up to 14 characters in length within 5-20 minutes by booting your PC with a downloadable CD

      The above step is not usually necessary as most home PCs have no password for the accounts and the latter are all 'Admin' users which leaves the rest of XP widely exposed too.

    • When logged-on to Windows XP passwords can be displayed and downloaded to a pen drive in less than 10 seconds if the thief has automated the process - 30-45 seconds if they have to do so manually.
    • Mobile 'phones
    • Routers are the devices which link your PCs to the Broadband cable (BT or Virgin) and nowadays are almost all Wireless enabled. They actualy have THREE passwords stored inside them and it is important that they are all set and that they are each unique, difficult to hack and available to those people who are authorised - e.g. WiFi passwords which might be used by visiting relatives.
    • Wr
    • Wr
    • Wr
  • Wr
  • Wr
  • Wr
  • Wr
  • Wr
    • where there is more than one (and unrelated!) sentence - if you need to make a record a reminder then record them separately and ideally on separate media / location - paper in your fire-safe at home combined with an obfuscated text on your mobile would be OK for a low-medium risk password. Add a third location (+ maybe media) for high risk passwords.
    • which very, very few people would know - obviously NOT lyrics, quotations etc.. Think laterally - a sentence could be WHAT you WANTED to SAY to your BOSS at the Christmas party LAST YEAR! Don't even THINK of using what you want to say to them THIS YEAR because it will have gone through your mind dozens of time before then and 'accidents do happen'
    • ideally each sentence would not exist anywhere on the Internet! However, when checking this (using "Google with quotes") you must not research more than one sentence at the same PC and certainly not in the same week as your search query strings are logged and it is just conceivable that a hacker could target this data as a source for a new dictionary!
  • To add some complexity AND length to the above you also need a SIMPE set of rules - ONE FOR EACH LEVEL and VERY DISTINCT which insert odd characters into the password and IDEALLY make them broadly unique to the web site you are visiting.

    But as stated above, for the latest best practice on this topic visit: http://bb4t.co.uk/Page/bestppp


This page © Business before Technology 2008-9 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 22nd May 2009. Please use the Contact us page to suggest any additions or revisions.


Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
 
Messages:
23May15: Suppress Msg2U when cannot analyse/react to them 0 or 0 or 18.207.255.49 SoLL /home/sa4ssu/public_html/cgi-bin/LLsHere.18.207.255.49