Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Tuesday, 11 September 2018 18:47

Simple security for small business – part 1


Let's consider passwords – the first line of defence in any computer system.

First the TL;DR summary. For important access, keep your passwords complex; for trivial access, not so much. Also, many of the 'rules' around passwords don't always make sense.

A few weeks ago, I wrote about IT journalism's fixation with the latest and greatest hacks, intrusions and other bad behaviour, generally to the detriment of simpler aspects of security.  In that article, I suggested that there would a series of follow-up pieces that would offer useful advice to smaller users. This is the first.

As much as they are maligned; as much as the "death of the password" has long been predicted, passwords are still with us and probably will be for some time to come.

In most situations passwords are not stored in so-called "plain text". In other words, the characters you typed when entering a password are not what is stored. Instead, a one-way "hashing algorithm" is applied to the text to produce the stored version. This hashing algorithm is not reversible – anyone knowing the 'hash' cannot recover the plain-test password. At some later point, when you use the password again, the same hashing is applied and the result is compared with the stored password.

Let me start by saying that a lot of what you hear about passwords is quite correct. But conversely a lot of well-meaning advice is wrong.

Let's offer some thoughts on what is correct.

Yes, passwords should be complex.

There are a couple of reasons for this. Firstly, there are plenty of programs out there that are excellent are cracking passwords, with JohnTheRipper being an obvious example. JohnTheRipper is very quick to attempt multiple passwords against a password hash. JohnTheRipper (and pretty much all the others) will try every dictionary word, every line of most popular songs, they will insert numbers and they also understand "leet-speak" (the habit of substituting numbers for similar-looking letters - 'E' for '3' etc.). Further, they will make use of databases of previously hacked passwords.

Secondly, beyond these "cracking" programs, we also have "rainbow tables" which comprise a database of matching hashes and plain-text passwords. If the hash exists in the table, so does the password. Fortunately (for us average punters) any useful rainbow table is huge, occupying many terabytes, making them relatively unwieldy for all but the most determined "n'er do well". Mostly, rainbow tables are created by generating passwords and hashing them; storing both.

So, you should make your password too complex to either appear in a rainbow table, or to be discovered by a cracking program.

But how?

Broadly, the rules we typically see that specify minimum length (to annoy the rainbow tables) and a variety of complexity (to annoy the cracking programs) are sensible. So, any password of at least 10 characters, that includes a mix of upper and lower case, a few digits and some other characters is currently about the minimum you should have when you care about the access being managed.

But please, don't confine yourself to capitalising the first letter of a word or substituting a couple of 'leet' characters. Be a little more creative!

• password (pointless)
• Password1 (very slightly less pointless)
• MyPa55sword (marginally better, but still trivial to crack)
• aNAp91ef0RmytE#ch3R (pretty good – if you couldn't read it, it's a "AnAppleForMyTeacher" with all manner of variation). However, good luck remembering how to type it!

As an alternate, you might consider taking a line from a favourite song and "modifying" it. Perhaps something like "And!findItk1NDafuNnyiFinDitKindaSad" – significantly easier to type that the 'teacher,' perhaps a little longer and definitely tougher for the nasty dudes.

In parallel with passwords, we also have biometrics (fingerprint, face, voice, iris etc.), but most such systems are required to release a text password to the system that validates the access, so not a lot of improvement, really.

The last advice I will give here is that you should use none of my suggestions here. They are guidance and examples only. Rest assured that the "bad dudes" will add them to all the quick-access intrusion tools available. They are also entirely unrelated to any password I have ever used!

So, with all that in mind, what advice have people received that is entirely pointless?

My first irritation is the insistence that passwords be changed regularly. Why? If the password is so good that it conforms to all the rules, and there's no evidence that it has been compromised, why change it? Why create the possibility (probability!) that the user will forget it? That rule makes no sense at all.

Next, we have the insistence that you should use a different password for every location that requires one. This rule belongs in the final circle of hell!

There are two likely outcomes from this: firstly that people will probably create some kind of pattern that links a password stub with the name of the web site. If one of the passwords is hacked, then the method is revealed and access to every other site is simple (for the intruder). The other is that people will create great passwords every time, and then forget them. I'd love to see password reset statistics for a range of major websites.

In parallel to this are the websites that insist on the most amazingly convoluted password rules merely to access a document that ought to be freely available. I've regularly seen this with the "big four" consultancy firms. They are adding to the problem, not helping!

So, you might ask, "after all this negativity, what is a good password? Are there good rules for creating and using them?"

First, some "motherhood" statements:

  • Passwords are a useful form of identification, but not the best.
  • The strong password you remember is better than the very strong password that you forget.
  • Longer (and more complex) passwords are better than shorter and simpler ones. Twelve characters is a useful minimum, although that will increase as cracking hardware improves.
  • The places that demand a password for no good reason are deserving of a weak one.

My first recommendation is to select a simple, easy to remember password that can be used in places where neither you nor the website care about any level of security. Ensure this password is only used in places where no personal information is stored (beyond your email address and name).

For somewhat more secure uses, create a password root structure that can be modified and extended for each location it is used. As an example, Your password root might be "B@ck!n8lack" (that's related to "Back in Black" for AC/DC aficionados) to which you might insert a number that represents the third letter of the domain name (e.g. would be 23 for the 'w') along with a letter three places further along the alphabet from the last letter of the domain name. Thus the final password might be B@ck23h!n8lack. Of course now published, this scheme should never be seen again! Use your own.

For highly secure access, your online banking for instance, you will need to create similarly "difficult" and lengthy passwords, but each must have unique construction rules – no extension rules as described in the previous paragraph.

In my next article, we will look at password managers and alternate authentication technologies.



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.




Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.


Webinars & Events