6 August 2018

Passwords, normally in conjunction with a User identity (userid), have been in use for as long as we have had access to computers.

So what makes a good password?

While they are far from a perfect system of providing a unique identification for access to resources and have a number of weaknesses, they are almost universally used, commonly accepted and unlikely to be replaced with anything else in the foreseeable future.

The advice varies. Ideally they should be sufficiently strong, unique for each account that you require access to and they should also be memorable. Unfortunately, we are human and struggle to remember the long strings of random characters that create strong passwords. When we compound this with the need to remember large numbers of unique strings of characters (remember, a different password for each account) then, inevitably, we make compromises and these undermine the security that was offered by the system. According to advice given by CESG (the National Technical Authority), the average person in the UK has 22 online passwords.

The number of characters and the complexity required will depend on the rules put in place by the organisation and the sensitivity of the information being protected and there are a number of do’s and don’ts that should be considered.

Do

  • Choose a password that is at least eight characters in length (the longer the password, the harder it is for criminals to break it),
  • Use a combination of upper and lower case letters, numbers and symbols ( @ # $ % ^ & * ( ) _ +. ). However, remember that the changing letters to numbers (for example E to 3 and i or l to 1) is well-known to criminals.
  • Pick a phrase that you know and can remember, for example “Attitude is a little thing that makes a big difference.” and take the first character from each word to get 'Aialttmabd.'

Don't

Don’t use the following as passwords:

  • Your username, actual name or business name.
  • Family members’ or pets’ names.
  • Your or members of you family birthdays.
  • Your favourite football or other sports team or other words easy to work out with a little background knowledge, for example things related to your interests.
  • Numerical or keyboard sequences, such as 12345678.
  • A single common dictionary word, which can very easily be cracked by common hacking programs.
  • When choosing numerical passcodes or PINs, do not use ascending or descending numbers (for example 4321 or 12345), duplicated numbers (such as 0000 or 1111) or easily recognisable keypad patterns (such as 14789 or 2580).

Note: The ten most commonly used passwords are 123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567, baseball.

The Government advice on passwords can be found at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

Protecting your passwords

There are a number of things that you need to do to ensure that your passwords are protected – remember, they are the keys to the valuable information that you want to protect. These include:

  • Don't enter your password when others can see what you are typing (shoulder surfing).
  • Never give your passwords to anyone else. If you think that someone else has discovered your password, change it immediately.
  • In the past, the advice was that you should routinely change your passwords, however, this is no longer recommended, unless the accounts to which they apply have been hacked, in which case they should be changed immediately.
  • Do use a different password for every website.
  • Don’t recycle passwords (use them again after a break).
  • If you must write passwords down in order to remember them, make sure that they are locked away securely (in a safe). Don’t store it on your smartphone or as an unencrypted file on your phone or computer.
  • Consider using an online password vault or safe, but only use a reputable organisation.
  • Never send your password by email.

Given the difficulty in creating and remembering good passwords, one alternative is to use a password manager, which also have built in password generator tools, such as:

Password managers store all of your passwords for you and will automatically fill out your log-in forms so that you don't have to do any memorizing apart from the master password that you will use to access the password manager. It's worth noting, however, that just like any other software, password managers are vulnerable to security breaches. In 2011, LastPass experienced a security breach, however, users that had a strong master password were not affected.

Consider using two-step-authentication

Any time a service like Facebook or Gmail offers 'two-step verification', use it. When enabled, signing in will require you to also enter in a code that's sent as a text message to your phone. This means that a hacker who isn't in possession of your phone won't be able to sign in, even if they know your password.

You only have to do this once for "'ecognized' computers and devices.

There is no perfect answer to the problem of passwords but the application of the measures listed above will help you to improve the security that you get from them. Even the, all passwords can eventually be broken, given enough time and resources.