Password Security

Dan

Senior Web Developer

View Profile

Dan

Dan

Written on 30 May 2019

Presumably the website you're using has something behind it you don't want public? That might just be your name and address, but maybe it's your purchase history or financial details, maybe the account is linked to your credit card – I can't imagine anyone wants any of that information exploited. Passwords can be easy to crack, especially with a computer doing the "guessing", so it's important that you make it as difficult as possible for someone to get in to your account.

Is my password secure?

If your password is personally identifiable or can be associated with you then chances are it's not secure. It's fairly common for users to create passwords using a spouse's name, a child's birthday or an address; something that's easy to remember. You might even opt for generic words or phrases, maybe something topical or a catchphrase from a current TV show a good idea is to avoid common passwords.

You don't even need a computer to break passwords if a person can guess them. Weak and stolen passwords will account for the vast majority of unauthorised account access and ensuring you set a good password is incredibly important and your first line of defence.

The common issues with passwords

Memorable words

Easy to remember, common words and keyboard patterns are easy to guess, even when you're replacing characters with digits; system dependent, a program just trying words or combinations of words and spelling variants can guess passwords like this in a matter of seconds (if not less) – granted with online systems, limitations and other security systems in place this sort of speeds are unrealistic, but using simple to guess passwords is still not sensible.

Difficult to remember

Size is important, longer passwords are harder to guess, but long passwords shouldn't come at the expense of your password being very difficult to remember you'll end up being more inclined to create a long but insecure password that's easy to crack. A good password doesn't need to be complex.

Over the top password requirements

Unfortunately LOADS of websites still require you to meet certain criteria with the password you're creating. Common ones you'll see are:

Must contain at least one number
Must contain at least one symbol
Must contain at least one uppercase character
Must contain at least one lowercase character
Must be at least 8 characters

The idea behind this is to force users to create passwords that are built from a larger pool of possible characters, which in theory would mean computers would have to do more work to check all combinations of passwords of a certain length.

Regardless of whether this is true or not, this causes frustration for the user when their reasonably easy to remember and probably secure password is rejected constantly and eventually they'll either give up or be forced to create a bad passwords that's easy to guess. In systems like these you'll find an abundance of users with the passwords like "Password123!" and "Qwertyuiop0[".

Using the same password on every site

This is easy to fall in to with so many websites and services out there requiring a log in, you might find yourself using the same password or a slight variation of the same password on every site. In an ideal world if the password is strong and you can guarantee the security of the website you're using it on then I honestly don't think this is a bad idea, in reality these passwords are only really as secure as all the sites are and if one of them becomes compromised, all of your accounts are compromised.

Assuming that your password is being handled securely

Hopefully in 2019 you're using a service that at the very least isn't storing your passwords as plain text – there will be some out there. You'll almost certainly be using websites not implementing the latest security measures on their websites since it's just not realistic to continuously change and update how you're storing passwords and how a website login works.

For this reason I always assume that if I'm creating an account on a website that someone is going to see it. This almost always forces me to come up with a new, strong password.

Sharing your password

As soon as you give your password to someone else your accounts security is out of your control. It happens, but consider keeping your accounts private to keep them as secure as possible.

Can I do anything to check if my credentials are secure?

There are a few websites out there that let you put in an email address and it will tell you if you have been included in any lists online, or if you have an account on a website that has experienced a breach.

HaveIbeenpwned can help identify where your password may have been made public due to a breach of popular sites or if it's been posted on certain websites. If your email address shows that your credentials may have been leaked it's a good indicator that you should update your password on that service and ensure you aren't using that same password on other services.

General rule of thumb with the internet

If you don't want something public don't put it online – even if it's behind a "secure" system. It's an odd concept when your entire life can be shared online with a few simple clicks and almost impossible to do when almost everything is online, but it's important to understand that the security of a system is more a question of "when" than it is "if". It's easier to deal with unauthorised access to one of your account when nothing truly private or critical has been accessed.

omputers are getting more powerful, technologies are becoming more sophisticated and supposed secure systems are becoming less secure as time passes; this might be because of vulnerabilities or new technologies but websites and software should always be improving their own security to battle this and you should always endeavour to keep your accounts secure as possible.

How should I come up with passwords

There are a few simple rules you can apply to create good passwords:

Longer passwords are going to be less common, they're going to be harder to guess, but at the same time they're going to be more difficult to remember. To counter this try coming up with a series of words that you can easily remember or associate with a nice initialism or acronym. I'm sure everyone can remember how to spell "because" from school using some clever mnemonic device - you can remember passwords in a similar way. Pick a short easy to remember 5 or 6 character word and create a password using a word that starts with each letter, it doesn't need to make sense, it just needs to be memorable, e.g.:

SHIPS – SwiftHorsesIdeallyPassSafely – then hopefully you only need to remember the word "ships"

I keep forgetting my passwords – I have too many passwords

I appreciate coming up with unique, long and secure passwords for every single site you use is difficult, and I know most people will end up using the same, short, easily guessable password on every single site – but there are a few things you can do to help

Write them down

It sounds like an odd concept writing down your passwords, it certainly doesn't sound secure, but the easiest to do is to simply write them down if you're struggling to remember them. If you physically write passwords down on a piece of paper and keep it somewhere safe you'll be far better off than if you use poor passwords everywhere.

Passwords that are written down can be a little more complex and a little harder to remember, because you don't need to remember them and they're already going to be behind a level of security, be it the locked doors of your house or your person.

Browser functionality

Many web browsers have features to remember and even generate your secure passwords. They'll often do a better job of making secure passwords than a person could (and remember them) but it's important to keep in mind that they're storing your passwords and they are accessible if anyone has access to your computer/browser. Only use this feature in a secure environment.

Password Managers

There are a few services that exist that can generate and store passwords you use online or on your computer. Usually there will be a free service available, but in most office environments you may need to purchase a license or pay for this service. Some examples of this are lastpass and keepass. It’s important to note that these services are only as secure as the service themselves and the credentials you use to log in, so even in these instances password security is important.

What else can be done

It's important to make sure you're making use of a websites security features if it offers them. Some might make it easier to recover your account if lost/stolen and some will make it more difficult for people to access your account all together.

Secret questions/answers

Account recovery features are very common and often rely on common information about you, if you make these too easy then you're actually decreasing the effectiveness of your account security. Try to make the secret questions and answers very difficult to guess whilst still being easy to remember by avoiding information readily available online.

2-factor authentication

This adds an extra check against your account to if a successful login attempt is made. Even after your credentials have been added correctly a code will be requested. This code may come via email, SMS, an app or be requested from a physical device that needs to be entered to proceed. Not all sites offer this but it can be important to use if it's available.

Although these methods have their own security concerns however it's looked at its an extra level of security that's easily managed being added to your account.

Passwordless login

In most common cases this will utilise another service through some level of authentication to log you in. Commonly I've seen this where a link to login is sent to a mobile device or your email upon request. The lack of password gives other accounts on the web a level of protection, but this sites login becomes only as secure as the account behind it (your email or SMS for instance). There are certainly more secure implementations than described, but it's not yet a particularly common feature seen on sites.

In the event of an unauthorised account access it's important to review and reset these.

Create longer passwords
Easy to remember
Don't use simple, single words
Understand that character substitution is an easy thing to crack