Al-Qaeda Cybersecurity Tutorial to Jihadists: Fix Your Lame Passwords

Jihadists received a cybersecurity lesson in a new magazine issue released this month by al-Qaeda in Syria, with encouragement to “no longer think of a password as a necessary evil or an annoying action” but “as your personal Ribat [fortification] position, as your shield to repel countless invisible attacks.”

That means, the article chided, not selecting “123456” or the word “password” to protect myriad online accounts on which so much jihadist activity is conducted nowadays.

The guidance was included in Hayʼat Tahrir al-Sham’s English-language online magazine al-Haqiqa, which published its first issue in February 2017. The third issue of the magazine, published this past February, delved into cyber issues with articles on “media jihad” basics and the use of Bitcoin to fundraise.

“You know that feeling? Opening a social media app on your phone, swiping down and looking in vain for your favorite channel? Only realizing seconds later, that it must have been suspended….again…? Irritating, right?” began the media jihad piece. “If this is annoying for you as a reader, imagine how tiresome it must be for the brothers operating these channels, who are working hard every day to bring you the latest developments.”

Whereas that issue briefly ruminated on the sharia compliance of cybercurrencies, the newest al-Haqiqa released this month included a Bitcoin graphic urging readers to “share your wealth to finance jihad.”

The password protection article declares that, by using an acronym derived from the first letters of a user’s favorite hadith or quote, “Even the best spy agency would have to dedicate all of its computing power and resources for many years still finding this a very tough nut to crack.”

“Your password length should be at least twelve characters long. Your password should be a combination of lower case letters, upper case letters, numbers and hyphens. Make no mistake: any password is crackable, but obviously longer ones are harder to figure out,” the anonymous author instructs.

Acknowledging that “most of us are creatures of habit and stick to their trusted password for years if they get the chance,” with jihadists being no exception, readers are told to change their passwords every six months, pick different passwords for each “highly sensitive” account, and resist the temptation “to write your passwords down somewhere.”

“A memorable combination of letters is all that protects you from the Kafir [disbeliever] enemy such as their police and intelligence services. Remember there are spies everywhere: they will try to crack your password via phishing expeditions and via hacking,” states the article, calling a strong password “your first line of defense.”

Aspects of this defense discussed in the article include the use of password managers and two-step verification. “Avoid the ones who are web-based online or offer you ‘convenient’ cloud functions. Instead use a freely available offline program like KeePass. A password manager will randomly generate unguessable passwords, remember them for you, and automatically use those saved passwords to log in to your secure sites,” continues the guide. “The best offline password managers work on all your devices, be they desktops, laptops, smartphones, or tablets.”

Al-Haqiqa recommends a Time-based One-Time Password algorithm (TOTP), but tells followers to be choosy: “Google has a TOTP app, but it is better if you pick an alternative open source application, so you would not even have to be connected to the internet.”

“Never use any information about yourself that can be found in the public record. This includes birthdays, anniversaries, license plate numbers, or home addresses. Never make your password the same as your username. Never use recognizable keystroke patterns like ‘1qaz2wsx’ on a qwerty keyboard,” continues the tutorial. “…Never replace letters with numbers in a common dictionary word. Most botnets are keen to so-called ‘l33tspeak’ and will crack ‘Pr0ph3t’ just as fast as the word ‘Prophet’. Never use the ‘remember password’ option in your browser.”

Bridget Johnson is the Managing Editor for Homeland Security Today. A veteran journalist whose news articles and analyses have run in dozens of news outlets across the globe, Bridget first came to Washington to be online editor and a foreign policy writer at The Hill. Previously she was an editorial board member at the Rocky Mountain News and syndicated nation/world news columnist at the Los Angeles Daily News. Bridget is a senior fellow specializing in terrorism analysis at the Haym Salomon Center. She is a Senior Risk Analyst for Gate 15, a private investigator and a security consultant. She is an NPR on-air contributor and has contributed to USA Today, The Wall Street Journal, New York Observer, National Review Online, Politico, New York Daily News, The Jerusalem Post, The Hill, Washington Times, RealClearWorld and more, and has myriad television and radio credits including Al-Jazeera and SiriusXM.

Leave a Reply

Latest from Counterterrorism

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security