In this guide, you'll learn how to keep your IT systems and online services secure by using complex passwords. Too many people save their passwords in a spreadsheet or worse still, write down their passwords on notes stuck to their desks.
How to choose a secure password
People often struggle to choose a password for fear of either forgetting it or lack of inspiration. Equally, quite often, it can be a struggle to meet password complexity requirements. Most workplaces and online services now require secure passwords.
Let's start here;
- Think of a word that you will always remember. For me, in this example, let's choose "skinny latte". I have one most days and I know I'll always remember this.
- Now, complexity requirements generally require an upper case letter, a number, and a symbol, so let's mix things up.
- Start with capitalising the first or last letter and every word.
We now have SkinnyLatte
(This takes care of the uppercase letter element) - Next, try to use numbers to replace some letters. For example, we could replace the letter E with the number 3. It's easy to remember this because the number 3 is just a back to front E.
We now have Sk1nnyLatt3
I replaced the E with the number 3 and i, with the number 1
(This now ensures my password both has lowercase and uppercase letters AND a number) - Next, we need to add a special character to the password. So, let's ditch the S and replace it with the dollar symbol, $.
We now have a secure, complex password that is easy to remember.
$k1nnyLatt3
I use my password at the start of the day to log on to my computer. At the start of the day, I grab a coffee. This is an easy way to remember my password and meets the complexity requirements of most workplaces and online services. For even greater security, try integrating your password into a sentence instead.
Just so you know, this is not my password, it's just an example :)
ivejusthada$k1nnyLatt3
(I've just had a skinny latte)
If you're struggling or want to be even more secure, Use a Password Generator.
A password generator will generate a password for you automatically based on the requirements you set. This takes the decision making away from you but in return, you'll be presented with a more complex password that's ultimately, harder to remember and harder to guess. You'll probably want to use a password manager if you generate hard to guess passwords. (See Below)
Strong Random Password Generator
That looks easy but what should I do when I have to change my password every month?
Yes, it can be frustrating when you have to constantly change your passwords. It makes remembering them even harder. When you're prompted to change your password, you could simply add a number to the end of your password. Whilst it's still a secure password, many systems will prevent you from doing this. Windows server in particular (if set by your administrator) can prevent similar passwords.
The trouble is, if a password is compromised by a hacker, they will, of course, give it a go. If it doesn't work (because you recently changed it), the first thing they're going to try is password2, password3, etc. Don't make it easy for hackers to break into your IT systems. Always choose a secure password and a password that has not been used before.
Do not use the same password for multiple accounts or services.
Every service or website MUST have its own password.
What passwords should I avoid?
- Known passwords such as password or letmein, password, qwerty or 123456
- Any word in the dictionary
- Anything that can identify you such as your name, date of birth, or the name of your dog.
- Using a password you have used elsewhere.
- Using a password you've used before
You should not use a word from everyday language because software exists that will take a text file and try every password until the correct one is found. A hacker uses what is known as a "Dictionary Attack" in an attempt to guess your password. This is why it's extremely important to get creative with your passwords.
I cant remember all my passwords. I have too many passwords to remember.
Password management software generally comes in two flavours. You can purchase an online subscription to a password management service such as LastPass or download software to your PC.
The Best Password Management Software
How do I check if my password has been previously hacked?
You'll often see in the news that a website has had their data stolen.
Recent breaches include;
- Easyjet - 2020 Data Breach - affecting 9 million customers
- British Airways - 2018 Cyber Attack - ICO Fines BA £20 million, affecting 400'000 Customers
- TalkTalk - 2016 Cyber Attack - with the theft of 157'000 records of customers data
There is a good chance you've had your data stolen if you've ever used one of these services. These are just 3 high-profile attacks but many smaller breaches occur every day.
Email addresses, Home Addresses, Passport Information, and of course, your trusted passwords are just some of the information that has been previously stolen.
Stolen data is generally sold on the DarkWeb or DarkNet or simply published for all to see. It allows anyone to buy up stolen credentials.
Attention Required! | Cloudflare
Imagine a scenario where you've used the same email address and password on many websites and your email address and password have been stolen. The hacker has managed to gain access to your email account. Whilst you may not have anything of interest in there, the hacker does notice an email showing you paid for a product with PayPal. Great he thinks! - Let's head over to PayPal and enter the email address and the same password. Damn, he thinks, on this occasion, they didn't use the same password. BUT WAIT - I can click the "I forgot my password" button. A password reset link is sent to the email account he currently has access to, resets the password, and then heads off for an online shopping spree!
by Paul Stanbra
Password Advice In Summary
- Always use a complex password.
- Never use the same password on multiple websites or services.
- Never use words from the dictionary - a hacker can use a brute force attack.
- Never use words that identify you such as your dog's name.
- Change your password every 10 weeks.
- Do not share your password with family members or work colleagues.
- If you can't remember them all, use a password manager.
- Periodically check to see if your password has been stolen.
- If the option is available, use Dual-Factor or Multi-Factor Authentication.