How to choose a secure password: Difference between revisions
From Supporting Role Wiki
Jump to navigationJump to search
(Add some myths) |
|||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use. |
We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use. |
||
=== Why secure? === |
|||
| ⚫ | |||
You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account). |
|||
| ⚫ | |||
== Choosing a secure password == |
|||
| ⚫ | |||
* Length is not the most important thing, but 8 characters is a usual minimum for most systems. |
* Length is not the most important thing, but 8 characters is a usual minimum for most systems. |
||
| Line 15: | Line 19: | ||
* Avoid using words, even foreign ones. |
* Avoid using words, even foreign ones. |
||
* Avoid mixing words (eg "blackhat"). |
* Avoid mixing words (eg. "blackhat"). |
||
* Reversing a word (eg "eruces") does not help much. |
* Reversing a word (eg. "eruces") does not help much. |
||
* Substituting letters in a word with obvious numbers (eg "z3r0") does not help much. |
* Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much. |
||
* Appending dates or numbers to words (eg "england1966") does not help much. |
* Appending dates or numbers to words (eg. "england1966") does not help much. |
||
== What to do with your password == |
== What to do with your password == |
||
| Line 27: | Line 31: | ||
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe. |
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe. |
||
* Don't reuse a password for an important system (eg bank or email) for anything else. |
* Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix. |
||
== Some myths == |
== Some myths == |
||
* "Why would anyone want to steal my password?" |
|||
: An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble. |
|||
* "But how can they guess my password?" |
|||
: An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords. |
|||
* "Should I change my password every 3 months?" |
|||
: Not really. It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company but it does nothing to protect against random attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made. |
|||
== Further information == |
== Further information == |
||
* Bruce Schneier on Security: |
* Bruce Schneier on Security: |
||
:https://www.schneier.com/essay-246.html |
|||
:https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html |
|||
* Lockdown Password Guide |
* Lockdown Password Guide |
||
:http://www.lockdown.co.uk/?pg=password_guide |
|||
[[Category:FAQ]] |
|||
[[Category:User Account]] |
|||
| ⚫ | |||
Please consult this dedicated page [[How to change my password]] |
|||
Latest revision as of 16:25, 22 November 2018
Introduction
Why passwords?
We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.
Why secure?
You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).
Choosing a secure password
- Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or even "I'JJF,&isag".
- Length is not the most important thing, but 8 characters is a usual minimum for most systems.
- Using symbols can be very good, but be careful it you use a different keyboard (eg laptop, Mac, foreign keyboard).
- Avoid using words, even foreign ones.
- Avoid mixing words (eg. "blackhat").
- Reversing a word (eg. "eruces") does not help much.
- Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much.
- Appending dates or numbers to words (eg. "england1966") does not help much.
What to do with your password
- Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
- Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix.
Some myths
- "Why would anyone want to steal my password?"
- An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.
- "But how can they guess my password?"
- An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords.
- "Should I change my password every 3 months?"
- Not really. It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company but it does nothing to protect against random attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made.
Further information
- Bruce Schneier on Security:
- https://www.schneier.com/essay-246.html
- https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
- Lockdown Password Guide
How to change my password
Please consult this dedicated page How to change my password
