Psst … secret passwords and how to protect them
We all know that strong passwords are key to maintaining your IT security. One of the reasons that hackers were able to break into the Sony Pictures system so easily was that vast numbers of employees used easily guessable passwords such as “password” and “s0ny123”.
Even better, someone had very kindly written them all down and saved them in a document called “passwords”. There’s nothing like making a hacker’s job easy for them.
The best passwords are at least eight characters long; 12‒14 is preferable. They contain a mix of lower and upper case letters, numbers, and special characters.
They do not use real words that appear in a dictionary, or obvious dates or sequences of numbers. (According to 2012 data from SplashData, the second and third most popular ‒ and therefore worst ‒ passwords in use were “123456” and “12345678”.)
You use a different password for each application or service, and you change them all regularly. Oh, and you always ignore that helpful little box that pops up and asks, “Would you like to save the password for xxx?”
But back to the real world, where every retail site, hobby forum, and app insists that you log in, and it is simply not humanly possible to remember that number of randomly generated, long, and complicated passwords. So what do you do?
At Firstline IT, we’ve put together some practical password guidelines that you can use at home and at work to keep your systems secure, while not spending all your time trying to remember multiple random strings of letters, numbers, and special characters.
1. Use unique and very strong passwords for your business network, your bank, and any other websites or apps that connect with your financial or other confidential data – or where a hack might pose a reputational risk, such as your email or social media accounts.
Never, ever allow your computer system to save these passwords, and always make sure that you log out of the systems when you have stopped using them, or even if you just step away from your desk. Most of these types of systems will log you out automatically after a few minutes of inactivity, but it’s better to do it yourself.
2. There is probably a second tier of websites and apps that you might use regularly, but which are not high on your list of security concerns.
For example, if hackers broke into your supermarket shopping account, it would benefit them little to know your weekly order of avocados, prosciutto, and walnuts, though it might give them a few recipe ideas.
For these sites, keep your passwords strong, but it’s probably OK to use the same password in several different places. Just make sure that you never accidentally save your credit or debit card details, or link to your Paypal account.
3. For the third tier of websites, that you might occasionally look at to read discussions about a hobby or see funny photographs or cartoons, it’s fine to use the same password for all of them, and it doesn’t even have to be that strong.
4. Unless you’ve got the sort of brain that can remember long, randomly generated sequences, you are still going to need to find somewhere to store your passwords.
There are a number of different password-management apps available, but the one we recommend is Roboform. It’s free, easy to use, and you only need to remember one master password. Password management apps keep passwords encrypted and more secure than Microsoft or Apple, by the way, which is why you are better off using one of them.
5. If you don’t fancy entrusting your passwords to a password manager, why not try investing your own way of encoding passwords you might remember?
We know someone who bases all his passwords on Shakespearian quotations, but has developed a clever and irregular way of encoding them, that’s not just substituting a symbol for a similar-looking letter (such as “S@l@d_d@ys”). All he has to do, therefore, is remember which quote he used for each site.
According to one of our Firstline colleagues, an extension of this coding method is used by a learned priest, who bases all his passwords on prayers. And not just quotations from prayers: he uses the whole text!
To be honest, his encoding system is probably not that thorough, but anyone devout enough to be able to identify so many prayers is unlikely, one would have thought, to be a cyber-criminal.