Jihadists received a cybersecurity lesson in a new magazine issue released this month by al-Qaeda in Syria, with encouragement to “no longer think of a password as a necessary evil or an annoying action” but “as your personal Ribat [fortification] position, as your shield to repel countless invisible attacks.”
That means, the article chided, not selecting “123456” or the word “password” to protect myriad online accounts on which so much jihadist activity is conducted nowadays.
The guidance was included in Hayʼat Tahrir al-Sham’s English-language online magazine al-Haqiqa, which published its first issue in February 2017. The third issue of the magazine, published this past February, delved into cyber issues with articles on “media jihad” basics and the use of Bitcoin to fundraise.
“You know that feeling? Opening a social media app on your phone, swiping down and looking in vain for your favorite channel? Only realizing seconds later, that it must have been suspended….again…? Irritating, right?” began the media jihad piece. “If this is annoying for you as a reader, imagine how tiresome it must be for the brothers operating these channels, who are working hard every day to bring you the latest developments.”
Whereas that issue briefly ruminated on the sharia compliance of cybercurrencies, the newest al-Haqiqa released this month included a Bitcoin graphic urging readers to “share your wealth to finance jihad.”
The password protection article declares that, by using an acronym derived from the first letters of a user’s favorite hadith or quote, “Even the best spy agency would have to dedicate all of its computing power and resources for many years still finding this a very tough nut to crack.”
“Your password length should be at least twelve characters long. Your password should be a combination of lower case letters, upper case letters, numbers and hyphens. Make no mistake: any password is crackable, but obviously longer ones are harder to figure out,” the anonymous author instructs.
Acknowledging that “most of us are creatures of habit and stick to their trusted password for years if they get the chance,” with jihadists being no exception, readers are told to change their passwords every six months, pick different passwords for each “highly sensitive” account, and resist the temptation “to write your passwords down somewhere.”
“A memorable combination of letters is all that protects you from the Kafir [disbeliever] enemy such as their police and intelligence services. Remember there are spies everywhere: they will try to crack your password via phishing expeditions and via hacking,” states the article, calling a strong password “your first line of defense.”
Aspects of this defense discussed in the article include the use of password managers and two-step verification. “Avoid the ones who are web-based online or offer you ‘convenient’ cloud functions. Instead use a freely available offline program like KeePass. A password manager will randomly generate unguessable passwords, remember them for you, and automatically use those saved passwords to log in to your secure sites,” continues the guide. “The best offline password managers work on all your devices, be they desktops, laptops, smartphones, or tablets.”
Al-Haqiqa recommends a Time-based One-Time Password algorithm (TOTP), but tells followers to be choosy: “Google has a TOTP app, but it is better if you pick an alternative open source application, so you would not even have to be connected to the internet.”
“Never use any information about yourself that can be found in the public record. This includes birthdays, anniversaries, license plate numbers, or home addresses. Never make your password the same as your username. Never use recognizable keystroke patterns like ‘1qaz2wsx’ on a qwerty keyboard,” continues the tutorial. “…Never replace letters with numbers in a common dictionary word. Most botnets are keen to so-called ‘l33tspeak’ and will crack ‘Pr0ph3t’ just as fast as the word ‘Prophet’. Never use the ‘remember password’ option in your browser.”