Homeland Security

Al-Qaeda Cybersecurity Lesson to Jihadists: No More '123456' Passwords

Jihadists have been cautioned to not use “123456” or the word “password” as their online password in new cybersecurity guidance issued by al-Qaeda in Syria.

The instructions in the new issue of Hayʼat Tahrir al-Sham’s English-language online magazine al-Haqiqa come as the bulk of terror incitement, recruitment, planning, open-source communications and propaganda have moved into public internet spaces or the encrypted dark web.

“A memorable combination of letters is all that protects you from the Kafir [disbeliever] enemy such as their police and intelligence services. Remember there are spies everywhere: they will try to crack your password via phishing expeditions and via hacking,” states the article, calling a strong password “your first line of defense.”

Jihadists are advised to follow two core rules: make their passwords at least 12 characters long, and use a combination of upper- and lower-case letters, numbers and hyphens.

“The easiest way to create a safe password would be to pick two random words, add a hyphen, and tack a number on the end. A space can count as a special character. That way you have a password that uses all of the rules and is still easy to remember. An even better way to make a safe password which is also easy to remember: simply pick two of your favorite things, add a dash between them and tack on your favorite number at the end,” the instructions continue, offering as an example a jihadist who uses his favorite snack — dates — and the numbers of his favorite hadith.

Alternately, al-Qaeda suggests taking the first letters of a favorite quote and turning the acronym into a password. “Even the best spy agency would have to dedicate all of it is computing power and resources for many years still finding this a very tough nut to crack,” they vow.

Jihadists are reminded to be “very disciplined” in changing their passwords every six months (“most of us are creatures of habit and stick to their trusted password for years if they get the chance”), use different passwords for each “highly sensitive” account, and resist the temptation “to write your passwords down somewhere.” Al-Qaeda suggested they use an encrypted, non-cloud password manager to store their credentials such as “a freely available offline program like KeePass.”

Furthermore, al-Qaeda advises using two-step verification, with the terror group’s preferred pick being a time-based one-time password algorithm. “Google has a TOTP app, but it is better if you pick an alternative open source application, so you would not even have to be connected to the internet,” adds the instructions.

“Never use any information about yourself that can be found in the public record. This includes birthdays, anniversaries, license plate numbers, or home addresses. Never make your password the same as your username. Never use recognizable keystroke patterns like ‘1qaz2wsx’ on a qwerty keyboard,” continues the tutorial. “…Never replace letters with numbers in a common dictionary word. Most botnets are keen to so-called ‘l33tspeak’ and will crack ‘Pr0ph3t’ just as fast as the word ‘Prophet’. Never use the ‘remember password’ option in your browser.”

The al-Qaeda article encourages jihadists to “no longer think of a password as a necessary evil or an annoying action,” but “think of it as your personal Ribat [fortification] position, as your shield to repel countless invisible attacks.”