In a whitepaper, entitled “What’s in a name?”, researchers claim that security systems in place to protect online accounts are inherently flawed, claiming that many passwords can often be guessed with just the simplest knowledge about the account holder.

The report specifically highlights “security questions” used to verify users who have forgotten passwords or login credentials, a system used by some of the world’s biggest online names including eBay, Google and Yahoo.

“Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently,” the paper said.

“User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.

“Many common questions have also been shown to have answers readily available in public databases or online social networks.”

The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.

One in three asked for a person’s name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts. This was increased when names were used as security keys, given the popularity of certain names in particular parts of the world, such as Smith in the Western world or Kim in Korea.

“Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names,” said the paper.

“The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names.”

Because of what I do, sometimes people ask me about my opinion on a few issues. Often I am asked what I think about the security practices of organizations such as banks. This is effectively asking me, “Can I trust the online access etc mechanisms at the XYZ bank(s)?”

Needless to add I can hardly answer such a question. I make generic statements about security of online transactions being higher than assumed and that of off-line transactions lower than assumed. Embellished with some anecdotes this is often enough to get me off this question.

Recently I had a more serious conversation with a friend of mine. He is an old Unix-hand and is generally a `power user’. He had attempted to use the online account of a bank and true to his style, he used a tool (pwgen, if my recall serves me right). He prides himself on not writing down passwords etc and chose to generate a fairly strong non-pronounceable password. He spent nearly 20 minutes to memorize it and proceeded to set-up his online account. To his chagrin, the bank’s password validator rejected his password! Reason: no numerals. Despite the length and a mix of case and a generous helping of special characters the lack of a numeral triggered the rejection. He was quite bemused and even mildly upset. Having spent a lot of time on a potentially low usage issue, he decided to give up–I suspect it was as much due his inability to use the wonderful password he had generated and memorised.

As per his statement this was a few months ago. A few days back, he had occasion to visit the brick and mortar branch of the bank. While he was talking to an executive at the counter, another executive at the next counter complained that she was unable to log on to the system and the executive attending to my friend said to her, “Oh! The new password is XYZPQ123″. The XYZPQ, where the initials of the bank. This was said in a fairly conversational and slightly loud tone to be heard above the usual bustle of a busy bank floor.

My friend was so annoyed and amused he laughed out loud, so loud that the executive attending on him solicitously asked him if he needed help. My friend considered explaining as to how his bank needed help and wisely refrained at the last minute and pleaded an attack of a humorous recollection.

After the narration he gave me a “What are we supposed to do?” look. I told him I wish I knew.

PS: After I decided to write this blog entry, I called up my friend and told him that I was writing it up and he drew my attention to this article.  (SIGH) Maybe I should change my opinion on writing HOW-TOs on passwords on our site!

The micro-blogging site, which has been hacked numerous times in the past year, is trying to encourage users to choose complex, difficult to guess passwords as opposed to more obvious words which could be easily cracked by either a human or computer script.

The banned list of 370 passwords includes common words such as “password”, “letmein”, “qwerty”, “123456″ and “twitter”. Football teams, car manufacturers, names and places also feature in the list.

Any new user attempting to protect their account with one of the “blacklisted” passwords will be presented with an error message and asked to choose a stronger, more secure password.

The move comes just months after a hack on Microsoft Hotmail accounts revealed that a huge number of the users affected by the breach had been using woefully inadequate passwords.

Here is the full list of banned passwords, as released by TechCrunch:

The most common single password in the sample of 10,000 Live ID login credentials (the system used to login to services such as Hotmail) posted on a development website was “123456″, with others such as “password” and “123456789″ also common.

Of the 10,000 breached account details that were posted on PasteBin.com, “123456″ was found to be the password in 64 examples, according to Neil O’Neil from digital payments firm The Logic Group. Whilst the represents just 0.64% of the overall sample, the findings represent a worrying lack of password best practice. There were 18 uses of the second most popular password, “123456789″, in the list.

Further analysis also highlighted common themes in password structure, with names and birthdays used frequently. Other examples include “ibelongtogod” and “666666″.

As many as 42% of the passwords used only lowercase letters, 19% were purely numeric and only 6% mixed up alpha-numeric and other characters, according to a separate analysis of the data by web application security firm Acunetix.

O’Neil suggested that the breach highlighted severe flaws in online password security and recommended users to think more carefully about how they protect their accounts.

“It used to be that the best security advice was to never write down your password,” he said. “Today’s advice however is to choose complex passwords, write them down and then put them in your wallet.

“You know when your wallet is lost or stolen and therefore that you need to change your passwords. Three initials from your name and postcode will do the trick and will take a hacker weeks to crack. Using an old postcode adds another layer of protection.”

The list of details has since been removed from PasteBin although some experts claim that the data is still accessible to those, such as hackers, who will be determined to access it.

Douglas Havard, who is serving a six year prison sentence at Ranby Prison in Nottinghamshire for his part in a £6.5m ($10.38m) hacking and phishing scam, was asked to take over a project to create an internal TV station using the jail’s computer network.

The 27-year-old was, according to the Sunday Mirror, left unattended by guards despite being afforded access to the prison’s network. He went on to reset a series of passwords that locked out anybody else that attempted to use the system.

Prison bosses were forced to call in computer security consultants in order to fix the problem, with Harvard being put into segregation as punishment for the incident.

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

A Prison Service spokesman told the Sunday Mirror that the breach was being investigated, claiming: “Prisoners are not allowed unsupervised access to computers. The prisoner was not able to access records of any other prisoners.”

The information has allowed researchers to discover key details on the workings of the notorious Torpig botnet, a network of zombie computers used to collect sensitive user information such as credit card details and login information.

Within the data, researchers found more than 297,000 unique login credentials (defined as a username and password pair) from 52,540 unique machines infected with the Torpig virus. More than 8,200 of these were for Google profiles whilst login credentials for Facebook, Myspace, Yahoo and Italian ISP Alice also featured prominently.

To capture the information, the Torpig virus attaches itself to programmes such as Mozilla Thunderbird, Skype, Microsoft Outlook, ICQ, Internet Explorer and Firefox. After monitoring keystrokes, the malware automatically uploads new data to servers controlled by the authors eery 20 minutes. Researchers also found that due to the discreet way in which it operates, Torpig is able to capture information before it is encrypted by secure socket layer (SSL).

The report also highlighted a notable lax attitude towards password security from the users of infected machines, with 28% of users using the same login credentials for several sites or services. The authors of the report suggested that users were not taking enough steps to prevent themselves from malware, such as secure passwords or updated antivirus software.

“The victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites,” stated the report. “This is evidence that the malware problem is fundamentally a cultural problem.

“Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behaviour when using a computer. Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the Internet citizens so that the number of potential victims is reduced.

In reality, few actually put much thought into “best practice” when it comes to security passwords, be it for a Facebook profile, email account, forum username or PC logon password. Many of us, in the interests of convenience, even take a “one size fits all approach” and use one password for every account possible whilst others take advantage of password remembrance software.

Of course, there are flaws in such systems. Whilst somebody hacking into your Myspace page could get up to little more than mild mischief, the fact that one of your primary forms of defence against malicious activity could have serious implications, particularly if you have a somewhat lax attitude to password security.

So what is “bad password practice”? Essentially, any password that could be guessed without an awful lot of imagination would fit that bill.

Back in 2006, PC World Magazine released the ten most common computer password’s in the UK. Let’s see if any look familiar.

10. “thomas” – Simply putting your name is a common idea that people have. In this case, Thomas came out on top.

9. “arsenal” – Football teams – another common one and, if you know who’s account that you are wanting to breach, one that’s easy to guess.

8. “monkey” – A six letter word (meaning that it meets most minimum character lengths) and an easy to remember word.

7. “charlie” – Another name and another that’s particularly memorable.

6. “qwerty” – For those who just like to run their fingers along the top of the keyboard.

5. “123456″ – Well, it’s one way to make the character limit.

4. “letmein” – Perhaps a modern take on “open sesame” – the famous phrase from Ali Baba and the Forty Thieves.

3. “liverpool” – Another football-related password.

2. “password” – The second most used password on UK computers is the word “password”.

1. “123″ – despite most password systems requiring a six character limit, as many as four in every 1000 passwords in the UK was just “123″

So, let’s say that your name is Charlie and that you support Liverpool – how do you choose the right password? Here’s our top five guide to help you protect your accounts.

1. Don’t make it obvious.
Let’s say that you are a member of a Liverpool Football Club fans forum and somebody wants to hack your user profile. There’s nothing malicious in it, they just want to cause some mischief. So, how many forum users do you think will have made their profile password “liverpool”?
Depending on what your profile is for, remember you are probably giving a hacker some clue as to who you are, whether it’s your favourite football team or band, the car that you drive or what your hobbies are. Don’t make that situation worse with an obvious password.

2. Size does matter.
The longer your password is, the harder it is to guess. That’s essentially why most passwords must, as a minimum, be at least 6-8 characters long. If there are more characters to use, take advantage of them.

3. Add some character.
Or rather, characters. Whilst you might find that some passwords will limit how many ‘special characters’ you can use, adding a few into a password can make a big difference. Instead of using “password”, try using “pass-word” or “pass_word”.

4. Capital Ideas.
With most password systems being case sensitive (ie, “password” is different to “PASSWORD”) using a sprinkling of capital letters in your password will seriously improve your password security.

5. Number crunching.
Replacing letters with numbers is another great way of making your passwords even tougher. Even if they are fairly obvious replacements (for instance, replacing “L” or “I” with “1″), they can make it very difficult for a would-be hacker. Instead of using “password”, try using “pa55word” or “passw0rd” (or a combination of the two!).