From buying your grocery to paying your electricity bill, these days you can simply log on to the Internet and do it all online. However the most important concern in these cases is security. While you buy your grocery or pay your electricity bill online, what steps have you taken to ensure that your credit card, your bank account, your email account & your laptop are all secure?
Among the many important points that you need to remember and take care of, the one that I am going to tackle here is password security. Let me start with explaining some basic concepts related to security like identification and authentication.
User identification and authentication is the basic security mechanism a person uses to protect company or personal data from unauthorized access. A user identifies himself through a User/Login ID. Authentication can be provided through one or more of the following means –
- What you know; e.g. Password
- What you have; e.g. Token or Smart card
- What you are; e.g. Biometric
A good password policy suggests some password features such as –
- Minimum length of 6 characters
- Password should include a mix of uppercase or lowercase letters
- Password expiry policy of 30-90 days
Further, characteristics of secure passwords include –
- Password should not be a dictionary word
- Password should be easy for the user to remember but difficult for an intruder to guess
Security practices for password protection strongly discourage users to write down their passwords. However, with so many criteria to satisfy to achieve the required password complexity, it becomes difficult for a user to remember his password. To add to the problem, a person has multiple passwords to remember.
A person may require a password to logon to his Office desktop/laptop, office mail/applications/ERP etc, online banking accounts, online trading accounts, personal email account. Also, a person uses a PIN (Personal Identification Number) to access his bank account at an ATM (Automated Teller Machine). Several bank accounts would mean those many PIN’s.
It becomes a challenging task to remember so many passwords and PIN’s. Companies conduct trainings on security awareness and make policies against writing down passwords. In most cases, users still write down their passwords, however may not do it openly.
To make online bill payments, you need to first log on to the bank website. There you are asked to fill in your user id and your password. Your bill is presented to you and you then direct the bank website to pay it through your account. To shop online, you log on to the shopping website with the user id and password that you have created for that website. Then, when you wish to pay your bill using your credit card, you are taken to the payment gateway of bank whose credit card you wish to use. There after filling in all the details, you are required to fill in another password, which has been put in place by the credit card companies for extra security.
When you take into account all the other passwords like ATM PIN and TPIN that you are expected to keep secret and remember correctly, you are bound to want to write them all down in a secret diary.
So, how does one tackle the security issue and also not forget the password? The answer lies in encryption. You can use a manual method or automated tools to achieve this. One can securely store/write passwords by using simple encryption techniques such as adding a digit to your ATM pin – for example, if your ATM PIN is 2527 then you can encrypt it by adding a 2 to every digit, so your encrypted PIN would be 4749. Similarly, you can subtract or multiply a digit to the PIN. You can keep a common encryption technique for all the PIN’s. You can also write the PIN in a foreign language you know such as Japanese, French or German.
To encrypt alphanumeric password you can use a technique of inserting additional alphabets at the beginning or end – for example, if your password is srbVma1, then you can encrypt it by inserting alphabet a at the beginning and c at the end, so your encrypted password would be asrbVma1c. Alternatively, you may insert a digit or change the order of the password.
A more sophisticated way to do this would be by using free software like Keypass or Passpack which stores and encrypts all your passwords and PIN’s. You need a master user id and password to logon to the software. Also, web browsers allow you to store your ID and password for email accounts. However, it would be unwise to use this option on a public or shared computer.
The need for better security arises because if the user is smart, intruders will be smarter. Intruders use password cracking tools and can brute force your password. Even if companies and banks effectively secure their systems against such attacks, it would all be in vain if the password was compromised because the user wrote it down unwisely.