Here is part 2 of our series about security on the internet. This time we will be discussing passwords including choosing a password and saving passwords.
Everywhere we go on the web these days we seem to need a password to ‘login’. Ideally you should have a brand new password for each and everything you log in to but is that really practical? Should you get your computer to remember all those passwords for you?
For most of us the reality is that we have so many passwords we can’t possibly remember them all and since it is a potential security risk asking your browser to remember those passwords what is the alternative?
We adopt 3 levels of password here at John Jelly offices. For those logins that don’t really matter, things like newsletter registration, we reuse the same password – we still chose a strong password, it is reasonably secure but at the end of the day if our newsletter account is hacked it’s not the end of the world.
For those things that need to be completely secure we have a Password Vault/Safe which itself is password protected. You could use a spreadsheet but the downside to that method is that if you forget the password to the spreadsheet – you’re stuffed! There is no way to recover it. You could of course keep a little black book of all your passwords in your safe, very inconvenient if you are out! Considering we have in excess of 160 passwords to remember we do need a secure way to hold them which is quick and easy for us to access but not for anyone else.
If you utilise a Password Safe remember it is only ever as secure as the master password, so it needs to be a very good one. If you choose a Password Vault/Safe make sure it’s one that uses encrypted data.
For our online banking we have a separate password used only for that and it isn’t written down or stored anywhere except in our heads.
So how do you choose a ‘secure’ password?
You will probably be aware that using your name, birthday, kids’ names, dogs name or anything else obvious is a bad idea, but why?
There are very clever pieces of software available that can ‘guess’ at passwords very quickly and try them out on the login screen for whichever website is being targeted. For example, perhaps the target is the admin area of a ‘Content Managed’ website like WordPress. These nasty little programs repeatedly try various user names and password combinations until they get access – this is called a ‘brute force attack’ and is more common than you may realise.
So as an aside you should never have your User Name as admin, administrator, user, manager, test, sysadmin, support or any variation of these things – you could be doing half the hackers job for them. Avoid using just those words you readily find in a dictionary too.
So how do you choose a secure password? The basic rules are to avoid dictionary words (see above), car registration numbers and birthdays. Ideally the longer your password the harder it is to discover so aim for at least 8 characters. Use a combination of lower and uppercase letters, numbers and punctuation.
One of my lovely customers suggested a great way to create a password – think of a sentence that contains a number and use the first letter of each word in that sentence together with the number and pop in a punctuation character. So let’s give a fun example that would be more secure. Take the sentence, ‘My dog Toby has four legs and one tail!’, so we could create the password ‘MdTh4la1t!’. Ta dah! We have a much more secure password than using ‘Toby1’!
Another suggestion could be to use random words from your favourite book, film or song again combined with numbers and punctuation.
The rule is that the more random the password the harder it will be to crack. That goes for length too – the longer the better. Just remember that some systems have upper and lower limits to the number of characters in your password.
We hope you haven’t been too shell shocked by this series of articles. The next post will cover spam, phishing and spoof emails. If you need help with any aspect of password security feel free to private message us – please don’t talk about passwords in the open comments.