For years we’ve been told that the best approach to staying secure is to have a good password.  Conventional wisdom says that this should be at least nine characters long and use a combination of upper and lower case characters, numbers, and special characters. 

But I ask you, is this secure?

P@55word1!

All joking aside, this is obviously not, so what is good password protocol?

In this blog, we’ll be delving a little deeper into password best practice to help you and your accounts stay that little bit safer and more secure online.

Criminals and hackers have all the tools they need

Let’s start though with the cyber criminals and hackers who want to access your data.  And unsurprisingly, they have the tools and tricks of the trade to help them do just that.

These include lists of commonly used passwords, software that allows them to make common substitutions to words (like the P@55word example above) and tools that can try every possible combination of characters, as well as information from previous password breaches that may include usernames and password information that are still in use.

Common weaknesses in passwords

There are plenty of themes and weaknesses in passwords that are unfortunately still all too common.  These include:

Complexity – when asked to add complexity when creating or updating a password, many people will still change the first character to upper case and add 1! to the end.  Then every time they get asked to change their password, they just increase the number, often to the next consecutive digit.

Unfortunately,  the tools attackers have make most types of commonly used complexity ineffective.

Seasonal passwords – we would wager that there are currently several hundred people using Autumn23! as their password.  It ‘meets’ the complexity requirements but is still easy to remember.  With everything from email to work accounts, online banking or shopping, we have an ever-growing number of passwords to remember, so it’s no surprise that constant requests to change passwords can lead to predictable words being used.

Password length – while it is rare that criminals will attempt every possible combination of characters in an effort to crack your password, it is possible.  In this instance, the longer you can make a password, the more secure it will be.

Dictionary words and sequences – beware, using common dictionary words can lead to weak passwords, as attackers may take lists of every word in a language and run it through a tool to check if your password matches any of them.  Similarly sequences such as 123456, or qwerty, are predictable and easily guessed.

Tips to protect your account

So now you know some of the most common pitfalls, what can you do to help protect your account?

Passphrases – using long passphrases allows you to create unpredictable sequences of words that are not just memorable, but also long, and you can add extra levels of complexity too if needs be.

P@ssw0rd! may not be secure, but Obscure-Sp3lunking*Gorilla definitely is (it is complex, long, unpredictable, and unlikely to be in any list of commonly used passwords).

Multi Factor Authentication (MFA) – Multi Factor Authentication, also known as MFA, adds anther level of security that can help keep your accounts secure, even if your password is compromised.  Common forms of MFA involve using a one-time code, which might be accessed via an authenticator app or be sent as a text message, but other formats can involve facial or fingerprint recognition for example.

Password managers – we all have a multitude of passwords to create, update and remember – and password managers (sometimes called password lockers) can simplify the process of generating and storing complex passwords securely.

As long as the account for the password manager is sufficiently protected, this can be a great way to take away the strain of remembering strong passwords.

And finally, there is plenty of free helpful and useful password advice and guidance (plus much, much more) on the National Cyber Security Centre website, so take a look.