Keys to better cyber security

Having your password stolen or having it publicly released can cause more than just inconvenience. Wang Kaihao reports.

When Xie Yin's friend received a New Year greeting from his instant messenger tool Tencent QQ on the last day of 2011, he did not expect to be swindled.

Someone had logged into Xie's QQ account and "borrowed" 2,500 yuan ($395) from his friend.

Xie, a physics researcher from Changsha, capital of Hunan province, works in a lab at Singapore-based Nanyang Technological University, and his friend also works in Singapore.

"We are in contact with each other quite often so he did not call me before sending the money," Xie says, adding he did not learn about the swindle until his friend called him and asked if the money had been successfully transferred.

Xie had been invited by a stranger to join an online forum of his college alumni association and take part in an online poll the day before. He had to log onto his QQ account to vote.

Theft is a constant menace in cyberspace, though it doesn't always involve money.

Xin Tianle, 20, is an undergraduate at China Foreign Affairs University. His campus educational network account was broken into in 2010.

The original password was the last six digits of his student ID number. Since Xin thought no one would be interested in his personal information, he didn't change the password until it was too late and had been altered by someone else.

Xin was not bothered about his academic records being exposed but was worried his cell phone number was revealed.

"Numerous phone calls from real estate companies have become a daily occurrence since then, and I have to change my phone number," Xin says.

Sun Cheng, a 30-year-old software developer from Qihoo, a Beijing-based company specializing in anti-virus programs, says: "A hacker will investigate your birth date, important anniversaries, your telephone numbers and so on. Then, it will be a piece of cake to unlock your keys.

"It's better to avoid using personal information when it comes to passwords."

However, a disappointing truth is that many people use even simple passwords. According to a report released by Qihoo and Rising, a Chinese anti-virus program company, in November 2011, "5201314" topped the list of "the most commonly used weak passwords in China".

This series of numbers sounds like "I love you all my life" in spoken Chinese.

Sun says a password will usually be given a hash function, a complicated algorithm, before it is stored at a website. For example, "1234" will be turned into a 39-digit number when rehashed by the cryptographic hash function MD5.

Although this means the original password is protected to some extent, a hacker will prepare a database including all the possible results for simple passwords.

When Sun recently gave a lecture on password security for Guokr.com, a popular science website, a doctor of optometry stood up and shared his tips.

"I use hash functions to calculate a character string first and use part of the results as my password," he said. "And I switch my passwords every three months by choosing a new string, and then I will get a totally different password."

As this method sounds a little too demanding, technologically speaking, for the general public, Sun has other suggestions. He recommends creating some individualized passwords to decrease the possibility of being decoded. He gave one of his former passwords - "Joh.P911653gk" - as an example at the lecture.

It may mean nothing to a stranger, but it is quite easy for Sun to remember it. Johann Pachelbel, who was born on Sept 1, 1653, is one of his favorite composers, and gk is short for "guokr".

Various kinds of password management software like LastPass, Roboform and 1password, are also widely used to facilitate memorizing passwords.

Though this kind of software was generally believed to be safe, US-based LastPass passed on a notice to users in May 2011 that a "limited amount of data was accessed".

"As long as you log onto the Internet, it is not absolutely safe," Sun says.

However complicated a password is designed to be, the effort will be in vain when a malicious virus known as a Trojan Horse captures information stored in codes.

"When your computer warns you the website is not safe, do not ignore it," Sun suggests.

Individual carelessness is not always the issue, however, as the case of 40 million users' passwords at Tianya Club, a major Internet forum, were leaked in December 2011. Another 6 million were exposed almost simultaneously on Csdn.net, one of the country's biggest networks for software developers.

"These passwords weren't even stored with a hash function," Sun says. "The job is only half done when users are cautious if the protection offered by websites needs upgrading."