Last week we had the opportunity to sit on a Cybersecurity Panel at an event hosted by NatWest. In the question and answer session, a gentleman asked me about passwords and whether keeping all your passwords in a central location, i.e. a password keeper on your phone was actually secure. I said that no method is 100% secure, complete iron-clad security simply isn’t possible. But the safest possible option is to keep your passwords in a central, secure location like your password protected phone within a password protected app.
Upon reflection, I later realised that he was questioning the security of writing down passwords versus memorising a single password, I’m annoyed that I didn’t address this point clearly and would like to do so now:
As attractive as it seems to simply commit one password to memory for all of your accounts, it’s not secure and here’s why – the average internet user has dozens of accounts all over the web, including social media, banking, shopping, email, travel sites, learning sites etc. Each site is responsible for keeping their data secure as well some sites are bigger targets to cybercriminals than others. Having the same password for every site means that you are trusting your complete online life to firms and businesses who may or may not be secure, all it takes is one breach and your password for all of your accounts are compromised. And some of these breaches can take years before the public is aware that it even happened, by that time your password and email address could have already been shared to every fraudster on the dark web. All they would have to do is try the common accounts – Facebook, Twitter, Gmail, etc and see if it works.
Rather than trusting your security to someone else, have unique, complex passwords for each account stored in a secured and controlled location.
Your email password and login details to your email, phone and computer should be the most complex and should be changed regularly because these are gateway accounts that if breached will leave you entirely exposed. I recommend using Two-Factor Authentication where available, which is another layer of security, each time you sign into your account a text message with a code will be sent to your phone. The code will have to be entered in along with your password before you are signed in.
What makes a good password? Each cyber security expert has a different answer but the criteria they do agree on are these:
- Length – at least 8 characters, but longer is better
- Dictionary check – Don’t use any words that can be found in the dictionary, also avoid common misspellings, slang and consecutive keyboard patterns like ‘asdfgh’ or ‘123456’, those are common and will be guessed first.
- Your password should also include numbers, symbols (!”£$%^+), and upper and lowercase text.
- Complex – You can use phrases like n0D4yLyk2d4y&^%, (No day like today). Or make patterns on the keyboard: £4%6&8uHvFe£, it’s an inverted triangle.
- Obscure – Don’t use your child’s name, date of birth, name of first pet, common words and phrases etc. though these are easy to remember they are also easy to guess with just a bit of background information.
Also remember to:
- Change passwords fairly regularly
- Never share your passwords
- Avoid entering any passwords on an insecure WiFi or public computer as it could be infected with malware or monitored by a third party.
- Never leave an insecure device unattended; close your laptop, lock your phone etc.
Keep in mind that though you may have good password habits, your family may not and your security can be compromised through them.
Remember, 100% secure is an impossibility, but there are things that we can do to protect our security as much as possible.
Dennis Hughes from the FBI, explained it well:
‘The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.’