Passwords are your 'key' and you wouldn't leave your door open

This section is quite a long one to read but I recommend you do. I have tried to keep it simple and concise but there is quite a lot to cover. If all you want is advice on creating secure passwords then skip down to the last section - Password Tips and Hints.

The amount of websites requiring passwords can seem endless. The list includes everything from your online banking account, email and social media accounts to online shopping and even the computer you are reading this on.

Choosing the right password is something that many people find difficult, there are so many things that require passwords these days that remembering them all can be a real problem. Perhaps because of this a lot of people choose their passwords very badly.

Keeping accounts private is extremely important because even innocuous accounts like a supermarket or voucher group can contain basic information like age and email address which could be used by a cyber criminal to find out more personal information. This is one of the steps in Identity theft.

Passwords are commonly used in conjunction with the username you signed up with. However, on more secure sites they may also be used alongside other methods of identification such as a separate PIN and/or memorable information. In some cases you will also be asked to enter only certain characters of your password, for additional security such as verifying an online payment.

Password Security and Good Practice

Password security is one of the most important skills in online safety. If you make password security an important priority, you will be able to protect your own information. It’s crucial to pick strong passwords that are different for each of your important accounts and it is also good practice to update your passwords regularly.

Using the same password for all of your online accounts is like using the same key for your home, car and office - if a cyber criminal gains access to one, all of them are wide open to them.  If you have several online accounts, consider using at least 3 different passwords but a different password for each account is a LOT more secure. Using multiple passwords will minimize the damage if one account is compromised. It may be inconvenient, but using different passwords keeps you safer.

Remembering so many passwords can be difficult and because of this many people are tempted to write them down on bits of paper. This is a very bad idea. Instead of writing your passwords on paper where others can easily see them, you can use a password manager to encrypt and store them online.

For example, when using LastPass, you will first need to install the LastPass browser plugin. Whenever you type a password on a website, the browser plugin will ask you whether you want to save it. The next time you go to the website, it can automatically enter the password for you. If someone else wants to use your computer, you can simply log out of LastPass to prevent the other person from accessing your information.

Some password managers can also generate random passwords, making your information even more secure and there are some very good password generators online. See the Safety & Security links page for a list of a few that won't cost you much if anything.

The longer that your password is, the harder it is to guess. So make your password long to help keep your information safe. Adding numbers, symbols and mixed-case letters makes it harder for cyber criminals to guess or crack your password. Please don’t use ‘123456’ or ‘password’ and avoid using publicly available information like your phone number in your passwords.

If you choose to keep your own list of passwords, I recommend using keywords to remind yourself of the password. Don’t associate these key words with any specific account & use a nickname for the account. Keep the list locked in a secure place (preferably away from the computer. You don’t want the list to announce itself as connected with the computer or containing passwords.

How would a cyber criminal get my password?

You may feel that it is difficult if not impossible for a cycber crook to get your passwords easily but that is not necessarily true.

Apart from what is called "Social Engineering" where they worm their way into your confidence or convince you they are an official and trying to help there are four main techniques hackers can use to get hold of your password:

  1. Steal it. That means looking over your should when you type it, or finding the paper where you wrote it down. This is probably the most common way passwords are compromised, thus it's very important that if you do write your password down you keep the paper extremely safe. Also remember not to type in your password when somebody could be watching.
  2. Guess it. It's amazing how many people use a password based on information that can easily be guessed. People regularly use the names of their partners, pets or children - or the dreaded "letmein" or "password"
  3. A brute force attack. This is where every possible combination of letters, numbers and symbols in an attempt to guess the password. While this is an extremely labour intensive task, with modern fast processors and software tools this method is not to be underestimated. An old PC might typically be able to try 200,000 combinations every second this would mean that a 6 character password containing just upper and lower case characters could be guessed in only 27½ hours. Newer PCs with the right software can try millions a second.
  4. A dictionary attack. A more intelligent method than the brute force attack described above is the dictionary attack. This is where the combinations tried are first chosen from words available in a dictionary. Software tools are readily available that can try every word in a dictionary or word list or both until your password is found. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.

Password Recovery in case you forget

If you forget your password or get locked out you need a way to get back into your account. Many services will send an email to you at your registered email address if you need to reset your password, so make sure that it is an account that you can still access.

Sometimes you can also add a phone number to your profile to receive a code to reset your password via text message. Having a mobile phone number on your account is one of the easiest and most reliable ways to help keep your account safe. For example, banks can use the phone number to challenge those who try to break into your account, and can send you a verification code so that you can get into your account if you ever lose access. Giving a recovery phone number to Google for example won’t result in you being signed up for cold calling or getting thise annoying calls from Sales people.

Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.

However, if you can’t (or don’t want to) add a phone number to your account, many websites may ask you to choose a question to verify your identity in case you forget your password.

If the service that you’re using allows you to create your own question, try to come up with a question that has an answer that only you would know and isn't something that you've posted about publicly or shared on social media (who you first kissed is a good one because only you and the other person will know that). Try to find a way to make your answer unique but memorable like the tip above so that even if someone guesses the answer, they won’t know how to enter it properly. This answer is very important for you to remember - if you forget it you may never be able to get back into your account.

Password Tips and Hints

Creating your own password can help you remember it rather than using one that has been generated for you. One idea is to think of a phrase that only you know and relate it to a particular website to help you remember it. The use the first letter of each word of the phrase as the characters transposing some for numbers.

I hate working on Weekend night Shifts in Summer! becomes "1Hw0Wn51S!" for example.

That said - there are some basic do's and don't when creating a password. Most of which are common sense - the list could be a lot longer but I'm sure you'll get the idea.

  • Do use at least eight characters, the more characters the better really, but most people will find anything more than about 15 characters difficult to remember.
  • Do use a mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  • Don't use a word found in a dictionary.
  • Never use the same password twice or recycle them (for example password2, password3).
  • Don't just add a single digit or symbol before or after a word. e.g. "grandpa1"
  • Don't double up a single word. e.g. "grandpagrandpa"
  • Don't simply reverse a word. e.g. "apdnarg"
  • Don't just remove the vowels. e.g. "grndp"
  • Don’t use key sequences that can easily be repeated. e.g. "qwertyuiop","asdfghjk" etc.
  • Do choose a password that you can remember so that you don't need to keep looking it up, this reduces the chance of somebody discovering where you have written it down.
  • Don't use passwords based on personal information such as: your name, nickname, birthday, wife's name, pet's name etc.
  • Don't ever be tempted to use passwords that are easy to remember but offer no security at all like. "password" or "letmein" - you'd be surprised how often I hear that!
  • When choosing numerical passcodes or PINs, don't use ascending or descending numbers (for example 654321 or 123456), duplicated numbers (such as 1111) or easily recognisable keypad patterns (such as 14789 or 2580).
  • Never disclose your passwords to anyone else. If you think that someone else knows your password, change it immediately.
  • Don't enter your password when others can see what you are typing.
  • Do change your passwords regularly.
  • Do not send your password by email. No reputable firm will ask you to do this.
  • Never store your password on your computer except in an encrypted form. Note that the password cache that comes with windows (.pwl files) is NOT secure, so whenever windows prompts you to "Save password" don't!

I know that's a lot but there are lots of nasty people who just want to get into your system to steal your information and it only takes a little effort to keep them out.