Once the preserve of spies and their masters, cryptology – the science of keeping secrets – now affects us all.
Hardly a week goes by without news that one government has been spying on another, or that hackers have broken into a website and made off with client data.
Earlier this month the crowdfunding site Kickstarter became the latest high-profile victim of hacking. Customer information including usernames, email and postal addresses were stolen.
The company insists no credit card data was accessed, and that the security breach has been rectified. Even so, it has advised its five million-plus users to change their passwords “as a precaution”.
All of which prompts the question: why can’t these supposedly tech-savvy companies keep our secrets secret?
Bluntly, the fault largely lies not with them, but with us. Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.
Last month, online security company SplashData announced that “123456” now topped its annual Worst Password list – having beaten that long-standing champ “password” into second place.
It’s hardly a secret why such pathetic passwords are so common: most of us just can’t be bothered to devise and memorise individual, secure passwords for all the sites we access.
This highlights one of the enduring challenges of real-life cryptology: the compromise between security and convenience. And it’s one that a UAE-based cryptologist is trying to tackle. Dr Ziyad Al Salloum, of ZSS Research, Ras Al Khaimah, thinks the answer lies in pictures rather than words.
We all know we’re supposed to pick passwords made from long, complex character strings, such as 45Gh6%7hUklR9#3. With more permutations than there are particles in the universe, such a password is all but impossible to break.
But such passwords are also incredibly hard for humans to remember, and even cryptologists accept that for that reason they are never going to be widely used.
That’s led them to turn to a neat mathematical trick to make even “123456” a bit harder to break.
In school maths, we learn how to “undo” the operation of multiplication by using the reverse process of division. In the mid-1970s, cryptologists began investigating a means of keeping passwords secret using operations that are very hard to reverse.
They focused on so-called “hash functions” – ways of scrambling long strings of characters that can’t easily be reversed.
The idea was that companies would then store not the client passwords themselves, but only the scrambled versions.
Every time a user typed in a password, it would be scrambled according to the mathematical recipe and the outcome checked against the list of scrambled versions held by the company, which would have no idea what the original password actually is.
That solves the problem of both company insiders or outside hackers getting access to the original passwords – as the hashing process is very hard to undo.
Or at least, that was the theory. Like most clever ideas in cryptology, however, it quickly fell victim to the ingenuity of code-breakers. They found a neat trick for undermining the hashing process, called a dictionary attack.
This involves compiling a “dictionary” of the hashed version of likely passwords, and looking for these in the stolen records. As the same characters always produce the same hashed versions, the dictionary would then reveal the original password.
The cryptologists hit back by adding a long random number to every password before it gets hashed. Known as “salting”, this hides the connection between the password and the hashed version, preventing dictionary attacks.
This is the basic method used by many commercial companies – including Kickstarter – to keep client passwords safe.
Even with this extra security, clients using weak passwords are still much more vulnerable than others. That’s because hackers start with simple passwords, and then focus on removing the random number “salt” to see if they’re right.
So what can be done to get everyone to use better passwords? Making complex ones more memorable would be a start.
And that’s the approach being taken by Dr Al Salloum. He is developing a source of unguessable passwords based on the fact that we remember places far better than random character strings.
The idea is very simple: instead of picking passwords, we pick a place in the world that means something to us from an online atlas similar to Google Maps. Divided up into a grid of hundreds of billions of squares, this “password atlas” allows the location of our special place to be turned into a very long number-string. This can then be added to a long random number “salt”, and the combination converted via a hash function into a very secure password string. All we have to remember is the location – a building, say, or road junction – that we chose.
Describing his method in the current issue of the International Journal of Signal and Imaging Systems Engineering, Dr Al Salloum says it’s far more resistant to standard hacking techniques used to turn hash strings back into passwords.
Perhaps so, but it’s unclear whether it will stop people swapping their guessable passwords like “123456” for images of guessable locations like the Eiffel Tower or the Burj Khalifa.
And even if it does, you can be sure the hackers will find a way around it eventually. Cryptologists know they’re locked in a Darwinian war for supremacy that’s not going to stop any time soon.
In the meantime, there’s a trick anyone can use to create better passwords: use pass-phrases instead.
Think of a simple phrase – such as “Brad Pitt was born in Oklahoma in 1963” – and take the initials of each word, plus the number: “BPwbiOi1963”.
The result is not utterly unbreakable, but it’s easy to remember – and it’ll keep hackers out of your account for longer than it takes to type “123456”.
Robert Matthews is visiting reader in science at Aston University, Birmingham
From Zero
Artist: Linkin Park
Label: Warner Records
Number of tracks: 11
Rating: 4/5
THREE
%3Cp%3EDirector%3A%20Nayla%20Al%20Khaja%3C%2Fp%3E%0A%3Cp%3EStarring%3A%20Jefferson%20Hall%2C%20Faten%20Ahmed%2C%20Noura%20Alabed%2C%20Saud%20Alzarooni%3C%2Fp%3E%0A%3Cp%3ERating%3A%203.5%2F5%3C%2Fp%3E%0A
Company profile
Date started: 2015
Founder: John Tsioris and Ioanna Angelidaki
Based: Dubai
Sector: Online grocery delivery
Staff: 200
Funding: Undisclosed, but investors include the Jabbar Internet Group and Venture Friends
Our family matters legal consultant
Name: Hassan Mohsen Elhais
Position: legal consultant with Al Rowaad Advocates and Legal Consultants.
Fifa Club World Cup quarter-final
Kashima Antlers 3 (Nagaki 49’, Serginho 69’, Abe 84’)
Guadalajara 2 (Zaldivar 03’, Pulido 90')
Ten tax points to be aware of in 2026
1. Domestic VAT refund amendments: request your refund within five years
If a business does not apply for the refund on time, they lose their credit.
2. E-invoicing in the UAE
Businesses should continue preparing for the implementation of e-invoicing in the UAE, with 2026 a preparation and transition period ahead of phased mandatory adoption.
3. More tax audits
Tax authorities are increasingly using data already available across multiple filings to identify audit risks.
4. More beneficial VAT and excise tax penalty regime
Tax disputes are expected to become more frequent and more structured, with clearer administrative objection and appeal processes. The UAE has adopted a new penalty regime for VAT and excise disputes, which now mirrors the penalty regime for corporate tax.
5. Greater emphasis on statutory audit
There is a greater need for the accuracy of financial statements. The International Financial Reporting Standards standards need to be strictly adhered to and, as a result, the quality of the audits will need to increase.
6. Further transfer pricing enforcement
Transfer pricing enforcement, which refers to the practice of establishing prices for internal transactions between related entities, is expected to broaden in scope. The UAE will shortly open the possibility to negotiate advance pricing agreements, or essentially rulings for transfer pricing purposes.
7. Limited time periods for audits
Recent amendments also introduce a default five-year limitation period for tax audits and assessments, subject to specific statutory exceptions. While the standard audit and assessment period is five years, this may be extended to up to 15 years in cases involving fraud or tax evasion.
8. Pillar 2 implementation
Many multinational groups will begin to feel the practical effect of the Domestic Minimum Top-Up Tax (DMTT), the UAE's implementation of the OECD’s global minimum tax under Pillar 2. While the rules apply for financial years starting on or after January 1, 2025, it is 2026 that marks the transition to an operational phase.
9. Reduced compliance obligations for imported goods and services
Businesses that apply the reverse-charge mechanism for VAT purposes in the UAE may benefit from reduced compliance obligations.
10. Substance and CbC reporting focus
Tax authorities are expected to continue strengthening the enforcement of economic substance and Country-by-Country (CbC) reporting frameworks. In the UAE, these regimes are increasingly being used as risk-assessment tools, providing tax authorities with a comprehensive view of multinational groups’ global footprints and enabling them to assess whether profits are aligned with real economic activity.
Contributed by Thomas Vanhee and Hend Rashwan, Aurifer
The%20specs
%3Cp%3E%3Cstrong%3EEngine%3A%20%3C%2Fstrong%3ESingle%20front-axle%20electric%20motor%3Cbr%3E%3Cstrong%3EPower%3A%20%3C%2Fstrong%3E218hp%3Cbr%3E%3Cstrong%3ETorque%3A%20%3C%2Fstrong%3E330Nm%3Cbr%3E%3Cstrong%3ETransmission%3A%20%3C%2Fstrong%3ESingle-speed%20automatic%3Cbr%3E%3Cstrong%3EMax%20touring%20range%3A%20%3C%2Fstrong%3E402km%20(claimed)%3Cbr%3E%3Cstrong%3EPrice%3A%20%3C%2Fstrong%3EFrom%20Dh215%2C000%20(estimate)%3Cbr%3E%3Cstrong%3EOn%20sale%3A%20%3C%2Fstrong%3ESeptember%3C%2Fp%3E%0A
Tamkeen's offering
- Option 1: 70% in year 1, 50% in year 2, 30% in year 3
- Option 2: 50% across three years
- Option 3: 30% across five years
The BIO:
He became the first Emirati to climb Mount Everest in 2011, from the south section in Nepal
He ascended Mount Everest the next year from the more treacherous north Tibetan side
By 2015, he had completed the Explorers Grand Slam
Last year, he conquered K2, the world’s second-highest mountain located on the Pakistan-Chinese border
He carries dried camel meat, dried dates and a wheat mixture for the final summit push
His new goal is to climb 14 peaks that are more than 8,000 metres above sea level
GAC GS8 Specs
Engine: 2.0-litre 4cyl turbo
Power: 248hp at 5,200rpm
Torque: 400Nm at 1,750-4,000rpm
Transmission: 8-speed auto
Fuel consumption: 9.1L/100km
On sale: Now
Price: From Dh149,900
The five pillars of Islam
Pearls on a Branch: Oral Tales
Najlaa Khoury, Archipelago Books
Tips for job-seekers
- Do not submit your application through the Easy Apply button on LinkedIn. Employers receive between 600 and 800 replies for each job advert on the platform. If you are the right fit for a job, connect to a relevant person in the company on LinkedIn and send them a direct message.
- Make sure you are an exact fit for the job advertised. If you are an HR manager with five years’ experience in retail and the job requires a similar candidate with five years’ experience in consumer, you should apply. But if you have no experience in HR, do not apply for the job.
David Mackenzie, founder of recruitment agency Mackenzie Jones Middle East
Short-term let permits explained
Homeowners and tenants are allowed to list their properties for rental by registering through the Dubai Tourism website to obtain a permit.
Tenants also require a letter of no objection from their landlord before being allowed to list the property.
There is a cost of Dh1,590 before starting the process, with an additional licence fee of Dh300 per bedroom being rented in your home for the duration of the rental, which ranges from three months to a year.
Anyone hoping to list a property for rental must also provide a copy of their title deeds and Ejari, as well as their Emirates ID.
Company%20profile
%3Cp%3E%3Cstrong%3EName%3A%3C%2Fstrong%3E%20Homie%20Portal%20LLC%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStarted%3A%3C%2Fstrong%3E%20End%20of%202021%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EFounder%3A%20%3C%2Fstrong%3EAbdulla%20Al%20Kamda%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EBased%3A%3C%2Fstrong%3E%20Dubai%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ESector%3A%3C%2Fstrong%3E%20FinTech%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EInitial%20investment%3A%3C%2Fstrong%3E%20Undisclosed%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ECurrent%20number%20of%20staff%3A%3C%2Fstrong%3E%2014%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EInvestment%20stage%3A%20%3C%2Fstrong%3ELaunch%C2%A0%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EInvestors%3A%3C%2Fstrong%3E%20Self-funded%3C%2Fp%3E%0A
Vidaamuyarchi
Director: Magizh Thirumeni
Stars: Ajith Kumar, Arjun Sarja, Trisha Krishnan, Regina Cassandra
Rating: 4/5
Book%20Details
%3Cp%3E%3Cem%3EThree%20Centuries%20of%20Travel%20Writing%20by%20Muslim%20Women%3C%2Fem%3E%3Cbr%3E%3Cstrong%3EEditors%3A%20%3C%2Fstrong%3ESiobhan%20Lambert-Hurley%2C%20Daniel%20Majchrowicz%2C%20Sunil%20Sharma%3Cbr%3E%3Cstrong%3EPublisher%3A%20%3C%2Fstrong%3EIndiana%20University%20Press%3B%20532%20pages%3Cbr%3E%3C%2Fp%3E%0A
