Password Protection – I Better safe than Sorry

Password Protection – I Better safe than Sorry

Varun Kapoor, IPS

Additional Director General of Police, Narcotics and PRTS, Indore


Our identity in the real world is our name read with our father’s name/husband’s name. That is our real identity. However our identity in the virtual world is not the same, it is something different. What is our identity in the virtual world – it is our Username read with our Password. So the username in the virtual world is like our name and the password is like our father’s name! In the real world we are more concerned and touchy about our father’s name. Thus any slur or insult to our father’s name we react very sharply and even reach a “do or die” situation to protect it! Similarly we should protect and insulate our passwords in the virtual space. As our username may be and often is in the public domain – it is the password which should be a secret and known only to the individual user. Thus it is the password which needs to be protected like our father’s name! And this is precisely the thing which most of the users forget to do or take so casually, that it is almost like advertising our password in a board hung outside our gate!


The most common password of internet users, for three years running is – 123456. This was discovered in a survey carried out in 2013, 2014 & 2015 among internet users. This situation needs to change and become more reflective of the security requirements for net users today. Certain useful rules are enumerated below. These should be carefully studied and adopted at the earliest for secure web usage and identity security.


1. Make your password complex – Password that are made should not be as simple as 123456, as enumerated above. That is because these are very simple to guess for all sorts of inhospitable characters who inhabit the virtual world. A software called “Brute Force Attack” can be utilized against individual accounts and if the password is simple or of few characters – it can be easily cracked. Thus it is recommended to have passwords that are having more than eight characters.


Similarly a dictionary word should not be used which making password. Software called “Dictionary Attack” can be easily deployed and the password can be easily cracked.


Another no-no is using personal information in the password that is created. That means information like name, father’s name; pets name, Childs name, date of birth, PAN number, vehicle number etc should never be used. This can be easily cracked by cyber thugs using a technique called “Social Engineering Attack”.


Thus a complex password of more than 8 characters which has no personal information and dictionary words should be used as an ideal password and the password should be changed every 3-6 months.


2. Have unique passwords for each of our important accounts – Just like if we have four locks in our house we have four different keys. Whys do we do that? Why don’t we have four locks and one key to open each and every one of them? That is because if one key is lost then all the locks will be compromised. Username and Password is also like a lock and key pair. We should have as many unique passwords as the number of accounts we have. So that if one password is cracked then we don’t lose all our accounts.


3. Do not allow browser to store password for you – Many times there are options like – keep signed in; remember me; stay signed in, automatically sign in etc. Never check the box to enable such a facility. It may prove fatal and very damaging if we do so. We do so for our convenience and to save time. But this exposes us to huge risks that are definitely avoidable.


An example of the damage that can be caused is described in case that occurred a little while back in Pune. In an incident the victim left his mobile device on his work table and went to the cafeteria for a cup of coffee. A colleague of his approached the table in his absence and picked up his device. He pressed the email icon and as the victim had enabled the option of keep signed in – he got access to his account. In a trifle he sent an abusive and threatening mail to the boss of the company. The victim was hauled over coals and even lost his job because the account and device from which the threatening and abusive mail was his. He had no way to explain his innocence and had to make an ignominious exit from the organization. A great reward for the luxury of saving a few seconds in typing out the password each time and accessing his account! So never adopt such shortcuts if secure password are to be effectively used in the virtual space.


These are three of the six precautions and rules that have to be followed while making and using secure and strong passwords. The remaining three will be listed in the next column.