The Secret to Secure Passwords

Security is and will continue to be a big issue in the sphere of IT, the growth of phishing attacks, and specifically those that distribute ransomware continues to affect schools right across our region and beyond.

In our previous articles Ransomware – don’t fall victim and Phishing – make sure you’re protected, we explored some key facts and actions that users can take to help keep themselves safe from attack.

We will continue to explore key user actions in more detail in this article series, and in this article we are focussing on password security.

If you just want to know the hows rather than the whys, go to the summary.

Hasn’t computer security got better?

IT and specifically the Internet, is still a very young technology, and this is the reason why it seems to be moving forward so fast, its huge potential is nowhere near being met, the revolution will continue.

But it is now mainstream with whole industries developing it, and this is why we are now seeing much broader scrutiny of the technologies powering it, some of which is used to improve security, and some of which is used to exploit it.

The race is on between the developers and the hackers to protect or hack into your data, and to a certain extent at the moment – the hackers are winning, this is evidenced by the success of Phishing attacks and people being held to ransom but encrypting their data and charging them to get it back.

So to answer the question, yes, computer security has got much much better, and whist no piece of software or system can ever be 100% secure or free of bugs, there is now much more awareness surrounding security of applications and data, which is baked into systems right from inception.

You are the weakest link

Awareness and available research and tools surround computer security has really got the stage where the weakest part of the security model is the user, we are all guilty of using passwords that are too weak, using the same password on multiple sites and not keeping them secure.

This is why one of the greatest tools in the hackers arsenal is the social hack. How do the hackers install malware on your computer? They trick you into doing it, either through a craftily crafted email, or a booby trapped web page, they are using their knowledge of human nature to coerce you into opening the door for them.

That covers the wider subject when it comes to phishing, malware and ransomware, but where do passwords fit into all this?

Again, it’s down to human nature, we remember things by association, so it is natural for us when we are thinking of a password to use the name of our pet, or set our pin numbers to our child’s date of birth. If someone can do some research on you, they have a much smaller selection of things you might use as your password, and therefore it is easier to hack into an account that belongs to you, and knowing us, once they have cracked one account, it is likely they will then be able to crack a range of other accounts, because you probably will have used the same or similar password in multiple places.

How secure is my current password

Depending on what information the person trying to attack your password has, will affect how secure your password is, but in a general brute force attack, you may be surprised at how quickly it could be hacked, just try this tool to see a rough estimate of how long this could take.

How do I make my passwords more secure?

It all comes down to how long it would take perform a brute force attack of your password, so any info that can reduce the range of characters or words you use in your password will reduce this time, this is why websites always say “use at least one uppercase character and one number”, because if we used only lowercase characters, then each digit of your password can only have 26 combinations, whereas with uppercase characters in the mix, it is now 52, plus 10 combinations for numbers, suddenly the number of combinations is much higher.

The number of combinations can be worked out now as N to the power of C, where N is the number of characters, and C is the number or characters that could be used. So the number of combinations goes up exponentially for each extra character in your password, which leads to only one conclusion:

Password length is the only thing that matters

Even if you password contained only lowercase character, as long as it is long enough, the number of combinations will be more than a shorter password using a greater range of characters.

Websites that tell you you must use at least one character and one uppercase letter for example is actually lowering security, because now the hackers know that every password will contain that pattern, and that lowers the number of possible combinations they have to search to crack a password for that site.

It still needs to be memorable

We also need to play to our own strengths when choosing a password, there is no point in choosing a huge long complicated password if it makes it an unbearable experience every time you want to access your account because you cannot remember it or you have to write it down somewhere (That reduces password security).

Correct Horse Battery Staple

I personally quite like xkcd’s “correct horse battery staple” which not only illustrates very clearly why your current password is easy to crack, but gives you a great method of creating a secure password.

The idea is that you take four unrelated words and put them together to form your password, but similarly you could use a famous quote, or a song lyric or any other sentence of your choosing, just make sure it is long, and remember where you used uppercase letters, spaces and other punctuation.

Remembering multiple passwords

We still haven’t solved the problem of not using the same password on multiple sites, and in reality there is not an easy solution to this without using some tech to do the donkey work for us!

Simple answer? Use a password manager such as keepass, or the password store built into your web browser, and then just generate random passwords for each site, try this great password generator, just make sure again that the passwords you generate are long and make sure to password protect the password store, with your easy to remember but long password, so you can access all your passwords.

One problem with password managers is if you need to access something when you haven’t got your password manager to hand, the solution to this is to use the password reset function of the website you are trying to access, which means that as long as you have access to your email, with a bit of effort you can access any of the accounts that you don’t know the password for.

Again just be sure that you have set a secure password that you can remember to access your email, as usually that holds the keys to the farm!

Summary and Other Tips

Make your password hard to guess

  • Avoid birthdays, quotations, your kids, pets, nicknames, common words and phrases
  • Avoid anything people associate with you
  • Remember easy passwords don’t get harder just because you’ve added a couple of digits to the end and a capital letter at the beginning!

Size is the only thing that matters

  • Make your passwords as long as you can (14 characters+)
  • Adding complexity will make your password more secure, but if you don’t think you can remember where you put the uppers, digits and symbols, make up for it with length
  • Make sure you can remember it

One password, one account

  • Don’t reuse passwords
  • Use a password manager and generate your passwords
  • Use a different password for each account so that if one account does get hacked, the others won’t be compromised

Keep your passwords locked away 

  • Use a password manager to enable you to use more complex passwords and remember multiple passwords for different sites
  • Use a long secure password to access the password manager, do not use the password for anything else, and do not write it down unless it can be kept in a safe place (i.e. not on your computer or your dropbox)
  • Use random passwords with your password manager, and reset it each time for rarely used accounts when you don't have access, use a secure password for your email account

Further Reading

Take a look at song lyric to strong password in 6 steps from BBC newsbeat, and for a more in-depth look at what ransomware is and the steps you can take now to protect your school network, take a look at the Whitepaper from Sophos how to stay protected against ransomware.

Solutions to help keep you protected

We offer a range of high quality endpoint protection solutions https://www.phoenixs.co.uk/swgfl-sophos/.

If your email service is provided by SWGfL then please forward any instances of phishing emails to spam@rm.com and to talk to the tech team call 0845 307 7870
  

Back to Magazine


Related Articles

Do your filtering and monitoring solutions meet the required standards?

Do your filtering and monitoring solutions meet the required standards?

Revised Statutory Safeguarding Guidance for schools in England has changed the required criteria for filtering and monitoring, how does your solution stand up?

21 June 2016
Schools Internet Service, Online Safety
Is your organisation taking good care of personal data?

Is your organisation taking good care of personal data?

Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach, to help manage this issue, we have developed 360data, a self-review tool to help review your posture, policies and procedures around data protection and information security

17 June 2016
Online Safety, South West Grid
Ransomware - don't fall victim

Ransomware - don't fall victim

A recent BBC article reported an 'alarming' rise in ransomware tracked, and at SWGfL we’ve noticed that a number of schools have fallen victim to attacks in recent months too. So what is ransomware and how can we prevent it reaping havoc?

14 June 2016
Online Safety
One phish, two phish, red phish, blue phish…

One phish, two phish, red phish, blue phish…

We’re aware that there has been a spate of phishing emails recently, so we’ve compiled this quick guide to help raise awareness of phishing

17 May 2016
Schools Internet Service, Online Safety
How secure is your school’s information?

How secure is your school’s information?

New technologies are transforming teaching and learning in schools, be sure that your supporting infrastructure is providing a safe and secure online environment for your users

12 October 2015
Online Safety, Education Services