How to choose a secure password: Difference between revisions

From Supporting Role Wiki
Jump to navigationJump to search
(→‎Some myths: Formatting fix)
 
(9 intermediate revisions by 2 users not shown)
Line 5: Line 5:
We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.
We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.


=== Why secure? ===
== Ways of choosing a good password ==


You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).
* Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or "IJJF&i'ag".
== Choosing a secure password ==

* Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or even "I'JJF,&isag".


* Length is not the most important thing, but 8 characters is a usual minimum for most systems.
* Length is not the most important thing, but 8 characters is a usual minimum for most systems.
Line 27: Line 31:
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.


* Don't reuse a password for an important system (eg. bank or email) for anything else. Reusing passwords for less important sites (eg. a web forum) is not so bad.
* Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix.


== Some myths ==
== Some myths ==


* "Why would anyone to steal my password?"
* "Why would anyone want to steal my password?"
:An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.
: An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.

* "But how can they guess my password?"
: An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords.

* "Should I change my password every 3 months?"
: Not really. It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company but it does nothing to protect against random attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made.


== Further information ==
== Further information ==
Line 42: Line 52:
* Lockdown Password Guide
* Lockdown Password Guide
:http://www.lockdown.co.uk/?pg=password_guide
:http://www.lockdown.co.uk/?pg=password_guide

[[Category:FAQ]]
[[Category:User Account]]

== How to change my password ==

Please consult this dedicated page [[How to change my password]]

Latest revision as of 16:25, 22 November 2018

Introduction

Why passwords?

We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.

Why secure?

You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).

Choosing a secure password

  • Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or even "I'JJF,&isag".
  • Length is not the most important thing, but 8 characters is a usual minimum for most systems.
  • Using symbols can be very good, but be careful it you use a different keyboard (eg laptop, Mac, foreign keyboard).
  • Avoid using words, even foreign ones.
  • Avoid mixing words (eg. "blackhat").
  • Reversing a word (eg. "eruces") does not help much.
  • Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much.
  • Appending dates or numbers to words (eg. "england1966") does not help much.

What to do with your password

  • Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
  • Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix.

Some myths

  • "Why would anyone want to steal my password?"
An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.
  • "But how can they guess my password?"
An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords.
  • "Should I change my password every 3 months?"
Not really. It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company but it does nothing to protect against random attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made.

Further information

  • Bruce Schneier on Security:
https://www.schneier.com/essay-246.html
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
  • Lockdown Password Guide
http://www.lockdown.co.uk/?pg=password_guide

How to change my password

 Please consult this dedicated page How to change my password
Retrieved from "https://wiki.supporting-role.co.uk//index.php?title=How_to_choose_a_secure_password&oldid=742"