blog

Is Password Security Advice Changing ?

2017-08-31

Is Password Security Advice Changing?

When you think about password security what do you think of – changing your password every few months by adding a new number at the end? Adding in a symbol instead of a letter? Random capitalisation of letters? Perhaps you even (guiltily) keep a note of all your passwords written down as they are too hard to remember? Well, it’s possible that the days of the overly complicated password are numbered following a recent comment by Bill Burr. Burr, who originally created the password security advice we’ve all been following, has recently commented that this method may actually make us more vulnerable to hackers.

Why has the advice changed?

The original password security advice, which has been standard practise for the last 14 years, suggested that using symbols, random capitalisation and numbers would create strong and secure passwords. However, Burr’s thinking has changed given that many of us use the same formula and symbols to replace letters, which are actually very easy to guess. So while $umm3r123 appears more secure than summer123, the symbols replacing the letters are commonly used and therefore easily predicted by hackers. The advice to regularly change passwords has also inadvertently led to ‘easy’ passwords being created as users struggled to stay on top of a number of passwords.

So, what is the revised advice for password security?

It has been suggested in fact, that a randomly created phrase would be more secure. So for example ‘Summer 35 raspberry fish’ which could be easily committed to memory, would be extremely difficult to randomly guess, making it more secure than $umm3r123.  By creating a phrase that you can picture in your mind, you will find it much easier to remember your password. However, we would suggest that there is a more practical step that can be taken by organisations. Businesses could be helping staff manage passwords and increase password security by using password management software.

Password Management Software

There are a number of password management software packages available, for example LastPass, Dashlane, and 1Password. They work by storing all your passwords securely in a vault, which means you can create more complex passwords without having to try and remember them. There are many benefits to using password management software:

  1. You will only need to remember one master password
  2. The software can generate random passwords which are much harder to crack than a password you would commonly create
  3. Logging in to accounts is easy as a browser extension can auto fill your login for you, removing the need to remember secure passwords.
  4. You can share passwords to joint accounts with colleagues, the software provides an option to control who has access to passwords.
  5. You can use the same password manager on multiple devices include mobile devices and often for app passwords too.

In 2016 the NCSC published guidance on password security which suggests a number of ways in which organisations can help staff cope with password overload and increase security. You may find it useful to download the NCSC Password Security guidance document. You can also find out what the NCSC thinks of password managers.

At SortmyPC we work closely with our clients to ensure their business data is secure. If you would like advice on password security or how to reduce security risks to your organisation, please contact us for a free initial consultation.

Further info

www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity

www.bbc.co.uk/news/technology-40875534

www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers