Font Size: A A A

Home > Blogs > The problem of passwords

Mike Gillespie

The problem of passwords

I have talked about passwords before; and passwords or at the very least warnings to change your password, seems to be rarely out of the press.

This is normally due to a data breach, though not always a recent one. We have been treated to another of these historic password breach scenarios recently, as a Yahoo breach found its way back into the headlines and once again people were asked to change their passwords well after the hacker-horse had bolted. Very often we hear, reassuringly, that no financial information was lost during the breach. I say reassuringly, but that is only really reassuring to the organisation that lost/failed to protect the information in the first place. If you are one of the many people who use the same password across a variety of platforms, then this won’t reassure you. Similarly if you use the same security question across platforms, this won’t reassure you either.

You see, hackers rarely steal email information because they want to read about your personal life (they might, but let’s leave that one there for another time). No, they may want to know certain things about you that allow them access to more lucrative areas of your life than your grocery delivery; such as who you bank with, perhaps. Then they might take a punt that you use the same password or security question on your bank too. So, being told no financial information was taken during the security breach, really doesn’t offer any assurances to you over the state of your actual financial situation. Not only should it in no way reassure you, it should also inform you that you can never use that password or security question again. Anywhere. I can appreciate this may mean getting a new pet, but that security question could compromise you for the rest of your digital life.

Passwords are difficult. Secure passwords are difficult because you have to remember them and a secure one should not contain any dictionary words or things like your name or date of birth. Advice from CESG (the technical arm of GCHQ and soon to be the NCSC) has always been to change your password regularly. This has now changed because having to recall multiple complex passwords made it more likely that people would indulge in risky password behaviour, like writing it down somewhere, for instance. The advice now is to create a solid, complex password and keep it for a reasonable length of time, with no enforced change. So how do you create a password that you can remember easily? Well, one methodology is to think of a phrase that could be your favourite TV show or a lyric, something that you can recall. Choose one letter from each word in the phrase and randomly capitalise throughout. Add symbols and numbers to create more complexity but make sure you have not inadvertently created an actual word or something that could be interpreted as a word, eg. p@55word, as this is something that can be easily broken. As an example, ‘follow the yellow brick road’ might become FwTyBR4# – Symbols, upper and lowercase letters and a number. Now you need to remember your phrase, which should be easier and less to recall and the effort needs to go into remembering what you capitalised and what symbols you picked. It’s more secure than say ‘Dorothy1939’ or ‘WizardOfOz1’ but you only need to remember the film and you are halfway there. Try it and see how you get on. If you have a Yahoo account, you might want to try it now…

The password conundrum continues when it comes to the use of password keepers. Anecdotally, it seems that these applications seem to be used largely for convenience. That’s fine but they do represent an opportunity to really improve security. Of course that depends on what you have chosen and how you use it. There are two ways password keepers generally work. One is locally sited and keeps passwords used on a specific device. So if you use the same device all the time or do not access multiple platforms that require your passwords on other devices, this would probably suit you perfectly. You can also have cloud based password keepers, these will work as an account across multiple devices and so if you use certain sites or applications across a variety of devices you might use this type. The security of both types is not guaranteed and it would be wise to mention at this stage that there have been data breaches at password keepers. So you need to exercise judgment and dare I say, risk assess the use of password keepers.

If you do decide to use one, it enables you to increase the density and complexity of your passwords, because you won’t be required to remember them…unless you are happy to use the methodology I described above and as such can now remember all your passwords with ease. Increasing the complexity of your passwords should mean you are far less likely to have them discovered or broken. The main password, ie the password to your password keeper needs very robust. This means that not only have you had the chance to create some really strong passwords for individual applications and sites which will increase your security, your password keeper is equally well protected. Always consider two factor authentication, wherever is it is offered and if this means a security question or phrase, make sure you never re-use and old one.

The problem of password security isn’t going to go away for a while yet. Other methods of verification do not seem to have pushed forward a clear winner or ubiquitous alternative. It won’t be the last time we hear about an old breach that has future ramifications for us, so get on top of your password hygiene and process now. Once more unto the breach! Sorry, I’ll get my coat…