We are all familiar with passwords, they’re an essential layer of security used daily. If you've followed our content previously, you'll know that we frequently emphasise the importance of strong passwords.
This is mainly because weak passwords are usually the largest cause of cyber breaches. Over 38% of breaches were related to passwords according to the latest Verizon Data Breach Investigations report.
You may have heard advice to use a ‘strong, long and unique’ password on your accounts. What does this actually mean in practice? Below are some considerations.
Strong and Long
The strength and uniqueness of a password are what truly determine its effectiveness.
Strength testing tools, such as this one provided by Bitwarden, are a great way to ensure a password is both strong and long. As shown below, you should aim for a password that Bitwarden classify as “strong”.
To achieve this strength, it typically requires a password to be:
12 characters and above in length
A combination of numbers and letters / The “three random words” approach (explained below)
Unique
A unique password means that it is exclusive and not shared with any other account you have.
How do you make a unique password? The easiest route is to have a password generated randomly by tools such as a password manager (more on that below).
However, you may also prefer to create your own passwords manually. The National Cyber Security Centre (NCSC) is the cyber security arm within the UK government. They recommend following the “three random words” technique. It's as simple as it sounds, this involves combining at least three random words together (such as “applefishpen” – don’t use this password now!).
Another approach to setting manual passwords is to use a password generator such as this one provided by Bitwarden. Although this creates strong, long and unique passwords, it certainly will not create memorable passwords like the “three random words” approach.
Three random words is a more balanced approach as it creates both strong and memorable passwords.
You also want to avoid using easily guessable passwords (we’re looking at you p@ssword). Using information such as birthdays, your company's name, sports teams etc. should be avoided as this information can usually be gathered from social media profiles, making life easier for a cyber criminal.
A password should also never be reused on another account. For example, using the same password for your email and Spotify means someone has potential access to two accounts.
By keeping passwords unique, you ensure that if one password is compromised, the security of other accounts remains intact thanks to the different passwords used.
Do I need a strong password on every account?
Ideally this is recommended and can easily be implemented by password managing tools like iCloud Keychain/1password etc. However, this is not always feasible. You should have a strong password on any account you see as highly important or has information on there you cannot afford to see exposed, modified or deleted (such as financial details).
You should always have a strong password on your email accounts. Our emails typically contain large amounts of private information. Furthermore, they are usually connected to pretty much all of our other accounts. If someone gets access to your email, they can use this to make password reset requests for other accounts so the security really matters here.
Strong passwords should also be used on platforms such as password managers. These typically require a "master password" to enter your vault. This should be extremely strong, as it's the key to all your other passwords. If you have a weak password here, then all your other passwords stored can be accessed easily.
How to know if a password has already been leaked?
If you wish to check whether a password you plan to use has already been leaked, you can make use of tools such as this one provided by Have I been Pwned. Have I been Pwned is a website that allows you to check if your password has been previously compromised in a data breach.
According to Have I been Pwned, entering the term "Football123" reveals that this particular password has been identified in more than 4,000 instances of data breaches.
How to make a password even stronger?
Here is where you can begin exploring additional security measures like Multi-factor authentication (MFA). This provides an extra layer of protection by requiring you to input another code (typically a six-digit PIN). This code can be generated using an authenticator app like Google Authenticator.
The advantage of Multi-factor authentication is that even if your password is compromised, the Multi-factor code would still be necessary for anyone to access your account. While it may require a bit more effort on your part, it significantly enhances security.
How to practically manage and store passwords?
We recommend using password managers as they are a practical approach to creating and storing strong passwords. They also provide additional features such as notifying you if your password has been compromised and auto filling a password for you when you visit a specific website.
It may sound risky to keep everything in one vault, however, if you create a strong master password, this will significantly protect your password manager's vault.
We would suggest keeping critical accounts away from password managers and maybe using approaches such as “three random words” for manual passwords. This is so that accounts such as your email would not be accessible on the off chance that your password manager is compromised.
If you are interested in setting up a password manager within your organisation, we provide implementation and training for employees in our Secure Passwords Forever service. We also have some guidance on password managers in our blog post.
For further reading, you can also check out some of our other blog posts regarding passwords or for anything else you can contact us here.
By following these guidelines, you can significantly reduce the risk of unauthorised access to your accounts. Start implementing strong, unique passwords today and take control of your online security.
Comments