typical username and password login panel
Published 31 Aug 2018

Should you treat your passwords like your underwear?

There is an old IT joke about treating your passwords like your underwear – change them often, don’t leave them lying around and don’t share them.  While that is good advice, is it still valid in 2018?

Given the rise in cyber threats and the sheer volume of emails sent everyday designed to trick you out of your email address and password, you need to know what is good advice and what is bad advice in this critical area.

So how relevant are those three simple guidelines?

black question mark icon in circle

Change them often

Having different unique passwords, with each one used solely for each particular web site, provides many times more protection than a constantly changing, but easier to guess password.  If an attacker fails with a password of Petname15, guessing Petname16 isn’t much of a leap.

black question mark icon in circle

Don't leave them lying around

Threats to your account are more likely to be attempted from outside your work environment. But still, never write your password down. Ever. All it takes is for a disgruntled employee to see your password and act on it out of hours, or to tell it to someone else outside the workplace for them to act on it.

black question mark icon in circle

Don't share them

This is key in the battle to stay safe online.  Using one or two passwords for all your online services leaves you terribly exposed. If one of your providers gets hacked (let’s say Facebook), and you’ve re-used that password all over the web, the attackers will then know your Twitter password, your LinkedIn password, your Instagram password etc.

Better pratice for 2018

green ticked check box icon

Use two / multi factor authentication

Each log in attempt must be accompanied by a response from you on a different device, usually your mobile phone. You need to approve the log in. If you get notification of a log in attempt that wasn’t you, don’t authenticate it. The attacker cannot then access your account even with the correct password.

green ticked check box icon

Have unique passwords for each service you access

Having a unique password for each and every on-line service makes things many times more secure.  If one provider gets hacked, you only need to change one password, and they can’t use that cracked password elsewhere. That causes another issue though, how do you remember all your different passwords?

green ticked check box icon

Use a password manager

Password managers are a great way to keep track of all your passwords. They’ll even automatically enter them for you as required. Consider leading password managers like Dashlane and Lastpass.

green ticked check box icon

Do Not Use Family / Pet names in your passwords

If an attacker has obtained information about you and your family though a technique called social engineering (from such things as your social media posts, for example) they are more likely to try those words and names in a password attack.

green ticked check box icon

Have robust passwords

By this we mean a password that is difficult guess by brute force.  A brute force attack is when a computer uses a dictionary and some clever programming to generate passwords.  If you obfuscate your password by making letter substitutions such as changing an S to a $ it won’t make any difference to the cracking program because they know all the common substitutions (3 for E and 4 for A, and so on).  It adds nothing in terms of protection.

What makes for a robust password?

Which of the following passwords do you think would be more secure?  

•    Password
•    X195jH&fX2
•    red.fish.balloon

Compare the difficulty in remembering the password with the time required to hack it, using a service such as https://howsecureismypassword.net/

Click the following plus symbols to reveal how secure each of the passwords is...

Secure Your Devices

Make sure to have a password or other security measure on all of the devices you use to access services and your data. This includes mobile phones, tablets, laptops, desktop PCs, and more advanced book readers. If any of your devices are open to anyone to use you are effectively doing the same as leaving your car unlocked. Making all your devices difficult to access is a fundamental requirement (especially if you have a password manager application installed).  Remember to set up remote access wipe facilities within your account settings too.

Contact Us

Contact us today if you want some expert guidance on introducing an effective password policy within your business.

Please share this post using any of the following share buttons.

Read similar posts to this article

Gustaw Trebski Achieves World Class...

Passwords, Password Managers and Mu...

Researchers exploit vulnerability i...