Strong passwords make up the third element of the ‘Get Cyber Security Fit’ trio that we have been covering. In case you missed it: the first two were backups, and antivirus plus firewalls.
According to NordPass, who collate a list of the most common passwords every year, the most common ones in 2022 in the UK were:
- password (which is also the most popular password in the world)
- 123456
- guest
- liverpool
- qwerty
- arsenal
- 123456789
- password1
- 12345
- 12345678
Each of those would take under 1 second to crack.
Apart from showing a distinct lack of originality, the problem with these passwords is that they are based on:
- predictable sequences of numbers
- dictionary words (password)
- predictable sequences of letters (qwerty – the top line of the standard keyboard, starting at the left)
- football clubs
Only 1 shows a mix of letters and numbers, and then it is by the highly predictable device of adding a 1 to the end of a recognisable word.
If you haven’t already seen it, watch Michael McIntyre on passwords.
Strong passwords (with no heavy lifting)
There are two main routes to a strong password:
Complex passwords
Use a long password (at least 12 characters) using a random mix of upper and lowercase letters, numbers and symbols. A password generator will create a complex password for you, and a password manager tool would not only do that, but would also remember it for you. Because it’s hard to remember multiple passwords like 4$%2&!pgZ2rXh
Three random words
Joining three random words to form a password, such as theatremedalwine (created just now by a random generator) means that the password is long and not likely to be used by any (or many) other people. If you have to remember lots of them, though, you’ll still need a password manager. One three-word combination might be memorable enough to recall, but each password should be unique, so if you need dozens or hundreds of passwords, you’ll need help to recall them.
Which approach to choose?
The random passwords created by a password generator tool are stronger than three random words, or complex passwords created by humans, (which tend not to be random at all, but to involve a dictionary word with characters replaced or added).
Do I have to have a password?
Passwords are convenient (if hard to create and remember) but they aren’t the only tool in the box. Alternative methods of authentication include biometrics, such as face or fingerprint recognition, or one-time codes or passwords sent to an email address or mobile device.
What else do I need to think about?
Set multi-factor authentication up on any device that enables it. This requires that a user proves that they are who they claim to be, by providing at least two pieces of evidence. These must each come from different categories:
- Something they know (like a password, or answers to questions)
- Something they have (like their mobile device, or a physical token)
- Something they are (voice, face, fingerprint)
The idea is that someone might have stolen your username and password (things you know), but are unlikely to be able to provide evidence from another category as well.
Getting started
Got 10 minutes today?
- Are your devices (mobile / laptop / tablet / desktop) password protected?
- Do they have a PIN, or biometric security, in place?
30 minutes?
- Have you set up hard to guess security questions for key business accounts? Consider everything from bank accounts to social media accounts. Here’s the thing: the answers don’t have to be true, just memorable
- Remind staff that passwords should be strong, and that they should not be written down or shared
60 minutes or more?
- Consider purchasing a password manager for your organisation
- If you have one, spend some time cleaning up your password set – eliminate duplicates and those that have been reported as breached.
Want more?
If you’d like advice or help on getting your cyber security match-fit, give us a call on 0113 733 7230 or fill out the form.