Cyber security: making the most of passwords

Our recent technical article Cyber Security Essentials looked at the practical measures which users can take to protect themselves from cyber attacks and breaches.  This follow-up article looks specifically at how individual users and businesses can use passwords to improve their cyber security.

Passwords, when used correctly, are an extremely simple and effective way to protect data and IT systems from unauthorised access.  However, many individuals continue to use passwords in a way which exposes them to risk, and IT policies do not always encourage better user behaviour.

This article summarises some simple ideas for individuals and businesses to improve their use of passwords and prevent them being cracked.

How are passwords cracked?

There are a number of methods criminals can employ to crack passwords, including:

  • Intercepting them as they are transmitted over the network.
  • Brute force - automated guessing of millions of passwords.
  • Physically stealing them, for example when they are written down close to a device.
  • Searching IT infrastructure for stored password information.
  • Manual guessing based on easily accessible personal information (e.g. name, date of birth).
  • Shoulder surfing – observing people typing in their passwords in public places.
  • Social engineering – tricking people into handing over passwords.
  • Key-logging malware which records passwords as they are entered.

These methods help to highlight some basic precautions which users can take to protect themselves. 

How can individuals prevent their passwords being cracked?

A key recommendation is to use a strong, non-predictable password.  What makes a good password (and what doesn’t) is discussed further below.

It is also important not to use the same password for everything.  Different websites have different levels of security - if you use the same password all the time then a criminal could crack this on a low security site and use to access important information on higher security sites. 

On average, users use the same password across four different sites.  Ideally, you should have a different password for every site and system you access.  However, it can be difficult to remember that many passwords in practice. 

As a minimum you should use a different password for the most sensitive sites you visit – such as email, online banking, and any other sites that hold confidential or financial information.  Alternatively, you could set up a system for passwords, for example using a core password which is complex and then adding letters or numbers to this relevant to the website name. 

Other recommendations for individuals include:

  • Using two factor authentication where possible.  This requires two different methods to prove identity before you can use a service – for example a password and a unique code sent to a mobile number.  Many online banking services already use this, and HMRC are rolling it out across their online services (see here for more information).
  • Be wary of public wi-fi, and do not use it to log onto secure sites.
  • Never log onto secure sites through following a link in an email: this is a common phishing scam.
  • Only use remember password facilities on personal computers where you trust any other users.
  • Look for https:// or a small password symbol at the beginning of a website’s URL - this indicates the site is using a secure link.
  • Don’t enter passwords where someone may be able to see you typing.
  • Never send passwords by email.
  • Never share passwords, or leave them written down next to your computer or in an easily found place.
  • Don’t re-use passwords after giving them a break.

What makes a good password?

The main thing is to avoid using predictable passwords.  Passwords should be easy to remember, but hard for somebody else to guess.  The National Cyber Security Centre (NCSC) recommends that a good rule is to make sure that somebody who knows you well couldn’t guess your password in 20 attempts.

Passwords that are easily cracked tend to include:

  • Your actual or user name.
  • Place names
  • Family members’ or pets’ names / birthdays.
  • Single dictionary words
  • Personal information such as your date or place of birth.
  • Favourite sports teams or other things relevant to your interests.
  • Numerical or keyboard sequences (e.g. qwerty, 12345).

The most common passwords include 123456, password, 12345678, qwerty, 12345 and football.

Strong passwords will:

  • Be at least 8 characters long.
  • Use a combination of upper and lower case letters, symbols and numbers.  Substituting letters for numbers (e.g. 3 for E or 1 for I) is however a well-known practice and should be avoided.

Very long and complex passwords are often viewed as being the strongest, but this is often not the case in practice.  Such passwords are hard to remember and this can lead to people using coping mechanisms (such as writing passwords down or using the same password multiple times) which, ironically, make them more vulnerable to cyber criminals.

The NCSC, in conjunction with Cyber Aware, advise that an easy way to create a secure password is to use three random words – for example coffeetrainfish or walltinshirt.  The words you pick can be memorable, but shouldn’t be easy to guess (i.e. onetwothree) or too personal (e.g. pet names, childrens’ names).

How can businesses support staff users?

It is important for businesses to ensure that their staff use passwords effectively to protect IT systems and data.

However, you need to be careful that IT policies do not lead to users having password overload.  The average UK citizen has 22 online passwords which they need to remember, so enforcing passwords where they are not needed should be avoided. 

Businesses can also help their staff cope by:

  • Using technology to reduce the number of passwords they need to remember: for less important accounts password managers can be used (tools which create and store passwords for you, accessed via a master password).
  • Allowing users to securely record and store their passwords – for example written down passwords could be kept in a secure cabinet or safe. 
  • Only asking users to change their passwords where there is an indication or suspicion they have been compromised.
  • Allowing users to reset passwords easily, including when they are out of the office.

The NCSC no longer recommends requiring users to change passwords frequently, or requiring them to have several different complex passwords.  The cost of forcing users to regularly change passwords outweighs any protection it may give –  staff often end up using weaker passwords as a result, making only minor changes to previous passwords or having to ask for a password reset more frequently.  Instead, the NCSC recommend asking staff to concentrate on:

  • Making sure passwords aren’t easy to guess.
  • Storing passwords securely.
  • Reporting unrecognised logins or suspicious activity.
  • Changing passwords where compromise is evident or suspected.

Other measures which businesses can take to increase security include:

  • Steering users away from predictable passwords and banning the most common.
  • Encouraging users not to use the same passwords at home and at work.
  • Changing all default vendor supplied passwords before giving devices to staff.
  • Monitoring failed login attempts.
  • Putting in place account-lockout, throttling or monitoring to counteract brute force attacks.
  • Ensuring IT systems do not require staff to share accounts or passwords: every user should have personal access to the systems they need to get the job done (and nothing beyond this).

Where to go for more information

The new National Cyber Security Centre offers a wide range of guides on all areas of cyber security.  Their guidance on passwords can be found here.

Cyber Aware, a cross-government initiative aimed at promoting secure online behaviours for small businesses and individuals, also provides tips on how to create strong passwords.