Perfect Password Practice
12th October 2015
Using strong passwords is one of the most effective ways to increase your online security and protect your data. It’s also very straightforward, so you’d expect it to be something that almost everyone does. Unfortunately, this is not the case … it is less convenient than using weak and easily remembered passwords, and people are just too busy.
However, if you imagine the potential repercussions of an information security breach it very quickly becomes evident that it is worth the effort to use strong passwords. Also, it doesn’t have to be inconvenient – once you have a system in place to manage your passwords it can actually save you a lot of time.
What is a Strong Password?
A strong password should be:
- unique – never use the same password for multiple websites or accounts. If one website is compromised then attackers will quickly and easily have access to all your online accounts using the same password.
- mixed – a strong password should contain a mix of letters, numbers and special characters.
- long – the longer the password the harder it is to crack using brute force and computing power. The exact length that is considered safe changes with time as computing power improves but at present a password of at least 12 characters long can be considered an absolute minimum.
- random – passwords shouldn’t contain dictionary words, names, birthdays or other personal information. They also shouldn’t be made up of patterns on the keyboard such as “qwerty” or “12345”. Dictionary attacks render even very long passwords weak if they contain easily identifiable dictionary words and phrases.
- secret – it’s obviously a bad idea to write a password on a post-it note and pin it to your computer (yes we have seen it!). Avoid sharing login details too – these days most websites allow for separate login details to be used by different users of the same account.
- changed – regularly changing passwords is very good practice. Change important passwords every 3 months, making sure not to re-use your old passwords. If you suspect that one or more of your accounts has been compromised change the password immediately; this simple step will often be enough to deny access to an attacker.
Whilst many individuals struggle with choosing and remembering complex passwords, there are several tried and tested means of achieving an acceptable level of protection. Consider the nursery rhyme “Old MacDonald had a farm ….” and you should be able to work out how that could help you to generate (and remember) the strong password “OMDhafe!e!o”‘ – there are many other rhymes, phrases and sayings for you to choose from.
It is near impossible to memorise a selection of random, 12-character passwords and recall them every time you need to log in to a web app. The old-school method of writing all your passwords in a little black book is inconvenient: its also easily compromised if you lose your little black book.
The modern solution to this modern problem is a dedicated password manager (e.g. LastPass). These usually work by letting you use one very strong password to access the manager where all your passwords are stored. There is now a good range of password managers available with a variety of convenient features such as random password generators and automatically log in to websites.
However, before you sign up for a password manager, take a moment to understand that if your password manager becomes compromised then all your web apps and accounts will be vulnerable. For this reason, it is very important to think carefully when choosing a password manager. A good password manager should be:
- zero-knowledge – also known as “TNO” (trust no one) means that no-one has access to your passwords or data… not even the software developers or cloud storage managers can see your passwords. The downside of this is that if you forget your master password there is no-one to help you retrieve it – but that is the price to be paid for the highest possible levels of security.
- open source – means that the code that the software is written in can be viewed by anyone. This means that the software is less likely to have weaknesses built into it and that it can be scrutinised to check that it does what is claimed. It’s important not to assume that because the software is open source that is it bug free – there are many cases of open source software containing vulnerabilities. However, software where the code is freely available is a strong positive for security.
- user friendly – a good password manager should be convenient and easy to use. If it isn’t you probably won’t want to use it.
- reputable – look for a widely used password manager with a good reputation that is up-to-date and with a team currently working on it.
- two-factor authentication enabled – meaning that you’ll need more than just a master password to access your passwords. It markedly improves the security of the password manager.
The NCSC View
The UK’s National Cyber Security Centre proposes an alternative view on passwords, with guidance which includes the use of multi-factor authentication and better awareness of how passwords can be compromised (e.g. by the increase in phishing attacks). Full details can be found here.
When you’re undertaking risk assessments, for example using our InfoSaaS risk management solution, ensure that you assess the strength of protection that passwords provide to your valuable information assets and the systems and solutions that support them. It also helps to have a clear and robust password management policy, and we can help with that too!