The official government password advice from the National Cyber Security Centre has been updated recently and we think it’s a lot more workable than past information.
We all have to contend with multiple passwords and we know that, ideally, they should be trade-off between something you can remember but is also hard to guess by the cyber criminal.
If a password is too complicated, then even those with the best memories could be tempted to write it down or store it insecurely somewhere on their computer.
For example, we just used the Norton password generator to create this password: VaZaxuq56a+e
While this is secure it’s unlikely to be remembered easily unless you write it down or use a password manager. If you write a password down then this immediately compromises your security.
Conversely if your passwords follow these patterns:
- Password
- 123456
- qwerty
- Your kid’s name
- Always the same one
- Birthdays or birth years
…your systems are not secure as they are easy to crack. Also if you use the same password, all your services could be at risk if a hacker cracks your password.
How passwords can be stolen
Here are some of the main ways passwords can be stolen:
- Social engineering e.g. phishing; coercion.
- Manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
- Intercepting a password as it is transmitted over a network.
- ‘shoulder surfing’, observing someone typing in their password at their desk.
- Installing a keylogger to intercept passwords when they are entered into a device.
- Searching an enterprise’s it infrastructure for electronically stored password information.
- Brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
- Finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
- Compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.
If your passwords can be guessed easily then your systems can be hacked leaving you vulnerable to ransomware and other malicious attacks.
New password advice guidance
No system is 100% secure, but you can make it much it much harder for the criminals. Recently updated government password advice takes a different approach to creating hard to guess passwords.
One of the most sensible recommendations is not forcing people to change passwords regularly as people forget or choose guessable variations of the last password such as changing a number or symbol.
One good tip on making memorable but secure passwords is to use a combination of three random or vaguely related words. For example:
“Alsation” + “Fish” + “Persian” = AlsationFishPersian
Tack on a number (not birthday or year) and a symbol and you have something even more secure.
Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and memorability.
Also password manager software is now relatively secure but make sure you use a reputable product: blogpost on password managers.
Here are some final important pieces of password advice:
- Put technical defences in place so that simpler passwords can be used.
- Steer users away from predictable passwords and ban the most common.
- Encourage users to never re-use passwords between work and home.
- Train staff to help them avoid creating passwords that are easy to guess.
- Be aware of the limitations of password strength meters.
See these links for further advice on this important issue:
Three random words for passwords
How to protect agains password guessing attacks
NCSC infographic on password security
How to setup a strong password
Visit our blog page for more information on web security, web design and web hosting: Web Growth blog
