The Essential Guide to Password Creation

Passwords are important.

I can see you rolling your eyes, passwords are deadly boring and very annoying. You need a password to change your mind these days and each password is supposed to be different and unique. How is one supposed to remember them all?

Just think for a minute of your front door key. How many different doors does this key open? Would you be happy using a universal key to get into your house? Passwords are just like that unique key, they are an effective way of identifying and authenticating who you are. It is the first and sometimes the only layer that stands between you accessing your money, data, social media accounts and email or someone else accessing those assets and possibly compromising them, stealing from you, or locking you out.

The most common passwords still are, password, password1 and 12345678.  Your dog could guess those! Even a password of 8 characters can be cracked in about 5 hours using a standard office computer and many passwords that are made up of dates of birth, names of your pets and children, your favourite band or football team can be easily worked out by reading your social media pages or googling you.

The National Cyber Security Centre’s first cyber survey revealed the most commonly used passwords that have been breached to reveal sensitive information. In number one spot, the password, 123456 has been breached 23.2 million times, other examples include ‘liverpool’ – breached 280,723 times and ‘ ashley’ breached  432,276 times.

One password – one account.

One of the biggest human-factor risks to businesses is staff re-using their passwords. If your work account access password is the same as your Facebook password, potentially a Facebook breach (or any of the other accounts where you use that username-password combination), could equal a big security problem for your organization.  When an online company is breached, thousands of pieces of customer information can be stolen, including email addresses and passwords. The cyber criminals will immediately go through as many accounts (e.g. utility companies, ebay, Instagram, amazon, hotmail, insurance companies) as they can trying those user-name-password combinations hoping to open up an access point for more crime. This is the reason you need a separate password for each online account.

Your email address is the gateway for all your other accounts and the place where you reset your passwords. With this in mind, if a criminal gets access to your email account, they can take control of most other user accounts that you have. At the very least, have a complex and unique password for your email account that no one could guess.

Cyber criminals can use computers to guess people’s passwords and break into their computers in what is called a brute-force attack. The computer will try every combination of letter, literally working through the dictionary until they have found the words that work.  It may even substitute logical alternatives such as ‘4’ for an ‘A’, ‘I’ for ‘1’ etc.  For this reason, it is recommended that you use a password that is over 8 characters long, or better still, 12 characters or more and you set the amount of password tries your account allows before locking to deter endless guessing.

So how do you think up a unique secure password for each of your user accounts and also remember them?

How to make a strong password.

The National Cyber Security Centre has a great deal of useful advice about passwords, they recommend that you use three random words which you can remember but do not naturally go together. It is also a good idea to use numbers and special characters (*&%F£) in your password as well as a combination of upper and lower case letters.  The longer the better.

Looking after your passwords

The good news is that you do not need to remember all those long and complex passwords. You can use a genius piece of software called a Password Manager.  You may have noticed that your browser already asks you if you’d like it to create and store passwords for you. This is would be a browser integrated Password Manager and is safe to use for personal use, however, there are security issues linked to this kind of password manager and for that reason, it is recommended you use an independent, stand-alone Password Manager such as Last Pass or Dashlane. You can do some research on third party Password Managers and use the one you feel is the safest.  It is often as simple as downloading their software from their website for free. You will then only need to remember one really good complex password to the Password Manager itself and after that, the Password Manager will remember your user names and create and remember extremely secure passwords for each of your accounts. It will be able to operate across multiple devices and on different browsers, it can also be asked to remember additional information such as addresses, wifi codes, credit cards, passports; all organized and encrypted. Your life just got easier!

Another layer of security.

Another great way to add a layer of security to your password is to use 2 factor authentication (2FA) or multi-factor authentication (MFA).  This process is being used more and more and involves using your finger print, retina scan, or a code being sent to a separate device e.g. your mobile phone to further verify your identity. If you have the option for 2FA or MFA*, use it where possible.

Has your password been already been made public?

If you are curious how many times your email and password have been exposed due to security breaches, check it out on the website: haveibeenpwned.com . Don’t worry too much if you have been pwned, most emails have been breached.  The important thing is to change your password if you believe it may have been compromised.  If you suspect that you have a virus in your system, if the manufacturer notifies you of a security weakness in their product or someone on your contact list gets emails from you that you didn’t send, immediately go onto the relevant accounts and change the password.

*Next week’s IASME blog explores two- factor and multi-factor authentication further.