Tag Archives: phishing

What are Twitter thinking? #Twitter #stupid #phishing

I am SERIOUSLY unimpressed by Twitter.

I guess a lot of us have been sending out Direct Messages about having more satisfying sex for longer, and those of us with half a brain have been changing our passwords.

But this email from Twitter is unforgivable:

Twits at Twitter

Moronic email from Twitter

The text reads:

Hey there.

Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser:
http://twitter.com/account/password_reset?email=etc,etc

This will reset your password.

This is stupid because it encourages people to trust unsolicited emails which ask them to click on a link.  Phishing emails in fact.  Yes, let’s train people to trust links in unsolicited emails which aren’t addressed to them personally. That would be cool.

Not.

This is in fact so blindingly moronic that I cannot bring myself to explain how blindingly moronic it is.  I don’t want to ruin my entire weekend with the rage I’d generate in myself.

Of course if I really want to get my point out there, I should tweet it.

Make your passwords memorable but secure

This is apparently National ID Fraud Prevention Week, so my name is Bill Bartmann and welcome to my blog.

This is timely.  The recent publication of email passwords online has set many people busily changing passwords. But how often do we create passwords like October09 or BenWarsop1 even though we know we shouldn’t? And we compound the problem by using the same password everywhere, leaving all our accounts wide open whenever a website emails us a forgotten password in plain text with the subject line ‘password’.

I’ve been mulling over how to create passwords which you, but only you, can reverse engineer. The suggestions here aren’t best practice (I am not sure what is, these days) and an additonal option is to use a password manager. But you might find some of these approaches easy to use and more secure than what you are doing now.

We all know that passwords should be in a mix of upper and lower case with numbers and special characters, but too many people just tag a number on the end. A slightly more sophisticated alternative is to type in Leet. Leet (pronounced ‘elite’) looks like txtspk but 1s 1n f@ct ju5t sw@pp1ng letter5 with num6er5 in @ w@y th@t m0re or le55 keep5 th1ng5 legi6le. UK personal number plates tend to be in Leet.

But the challenge is more about mnemonics – devising an approach which you can remember but which is hard for others to predict. I have been playing with systems based on the name of the site or service. An example of such a system would be to assign the numbers 1-12 to the months of the year, and then count the number of letters in the site’s name. WordPress has 9 letters in it so the password would be September. There are several ways to write that in Leet, such as S3ptember. Better not to put the capital at the beginning: s3ptemBer. But what to do if the name has more than 12 letters in it? Simply do the numerologist’s trick and add the digits together so 14 becomes 5, or May.

If you don’t like months (and I don’t because I’ve just blogged about it) then other months are available. Counting rhymes are a good source of number systems. The 12 days of Christmas give us gives us nine ladies dancing, so WordPress would be ladies, or l@dIes if you write it in leet and capitalise the 3rd letter from the end. There are any number of counting rhymes like ‘One for Sorrow‘ or ‘Yan Tan Tetherer‘. There are other options: Use the 1966 England squad if you know it by heart. It’s all a matter of what you can remember without looking up.  But try to make the group not very obviously a group, which is why it is better to avoid things like the  signs of the zodiac. It is harder to spot the pattern in earnest and serve than it is to spot it in earth and saturn, so better to use one of the mnemonics for the planets and not the planets themseves.

Ten or twelve passwords isn’t that many, working with the letters in the site name gives you 26 potential passwords, for example by using the international call-sign alphabet. If you choose the first letter, WordPress would be Whisky or wh1Sky. But that’s a little obvious; if I know your WordPress password is wh1Sky it would be easy enough to guess your Yahoo one was y@nKee. It would be better to consistently choose a letter that’s not the first letter, say the third one, rendering WordPress as roM3o.

It is poor practice to have just one word in your password, so it’s better to combine the two approaches: r0M3os2ptemBer. Of course, some site somewhere will be n0vemBern0vemBer but hey.

As you can guess, I am not a fan of using the international call sign alphabet because it is so recognisable. If you have any other alphabets in your head, from reading books to your children perhaps, then better to go with them:

  • A was an apple pie
  • B bit it
  • C cut it
  • D dealt it
  • E eat (ate) it
  • F fought for it
  • G got it
  • H had it
  • I inspected it
  • J jumped for it
  • K kept it
  • L longed for it
  • M mourned for it
  • N nodded at it
  • O opened it
  • P peeped in it
  • Q quartered it
  • R ran for it
  • S stole it
  • T took it
  • U upset it
  • V viewed it
  • W wanted it
  • X, Y, Z, and ampersand
  • All wished for a piece in hand

Combining this with the 12 days of Christmas would give me ranladies for WordPress, or r@nl@dIes in leet with an internal capital.

Again, other alphabets are available.  For example, the cockney alphabet which goes ‘A fer ‘orses, B fer lamb, C for th’ighlanders’. It doesn’t need to be an alphabet, any long list will do if you count A for the first place, B for the second and so on. Are you a chemist? Use the periodic table. Do you know the Modern Major General off by heart? Or the Shipping Forecast? If you struggle mnemonics for letters then Derren Brown describes several mnemonics for letters and numbers.

The thing is to devise an approach and stick to it, so that the letter that you match is always the third letter of the site’s name, you always use the international call-signs. Or whatever. Then you can reverse engineer your password any time you need to.

The problem with this is that you should change your passwords frequently, but I am rather stumped for an approach to that. You could of course just retire the 12 days of Christmas at the end of the year and replace it with Green Grow the Rushes-O or anything else that is stuck in your mind and won’t go away.


Like this post? Click to share:

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine