3 minute read

Passwords: What not to do...

What is good password security?

Today, 3rd May 2018 is World Password Day, something that I didn’t even know existed until it popped up on my Twitter feed. We hear all the time that we should be using secure passwords but what does this really mean? I think that it is reasonably obvious why we should be using so-called “secure” passwords but how we make our passwords secure can be an interesting problem to overcome. Below are a few easy steps that we can all take:

1. Use a complex password

I live by the motto that you can never have a password to complex, only too easy. Below is my recipe for creating a password that is hard for cyber criminals to crack:

  • Don't use single words, use phrases.

  • Make sure the phrase consists of at least 12 characters.

  • Use upper and lower cases, numbers and symbols

  • Don't use personal information, your favourite sports team or your pets name.

2. Don’t share your password

Passwords are supposed to be secrets; secrets shouldn’t be shared with anyone. As soon as you share a password with someone, you have lost control of of it - who knows who they have shared it with, where they have written it down or who else may intercept it.

3. Don’t reuse passwords

If I had a registration form on this website which asked for your email address and password to register for the latest news and updates from across the InfoSec industry, you may possibly sign up. What you wouldn’t know is how I am storing that email address and password, who has access to where I am storing them and whether they may be used for a malicious purpose by someone at some other time. By using the same password across multiple sites, you run the real risk of all of your online accounts breached. This is especially important when it comes to your sensitive accounts such as your personal banking. Remember that a password is your secret and your responsibility, so don’t assume that the website you are sharing it with will assume that same responsibility - they may not.

4. Cycle your passwords regularly

A document by the CESG, now the NCSC, advised that this may not be the good practice. They state that this isn’t a good approach to security, as it doesn’t take into account the ‘usability cost’ of doing this; for example, IT Support having to reset users’ passwords because they have managed to forget them. Not only this, if the you haven’t picked a completely different password you will have probably just increased the number on the end by one, which in all honesty probably doesn’t increase the security of that password. I agree with this to an extent, however I still think that this is good practice to rotate passwords frequently especially on the most sensitive accounts. If you can’t remember the passwords, see step 6. Also, if you believe that the account may have been compromised then definitely change the password!

5. OTP, 2FA and 2-Step Verification

Most likely, I will write another blog post on these, however there is a big difference between the three of these and yes, if there is an option to use them, do it - they will increase the security of the account although, some add more value than others - more to come on that…

6. Password Managers

Personally, I use a password manager called 1Password, which I would highly recommend although, there are others out there too, including some that are free of charge such as KeePass. I use 1Password specifically because it integrates really well with my web browsers on both Mac and Windows as well as Safari on iOS.