How to Choose a Good Password

Screen showing username and password being typed

Short on time? If you’re in a hurry, check out our five tips for choosing a good password and good password health: 

  1. Choose a strong password that’s easy to remember. We’re fans of the Three Random Words approach to create a password that’s at least 12 characters long 
  2. Don’t share your passwords with anyone (including your boss or the IT department) 
  3. Don’t reuse the same password for multiple accounts, and don’t use the same passwords for personal and work accounts 
  4. Find a secure way to store passwords, such as a password manager, so that your memory doesn’t become the weak link 
  5. Change any passwords that you think have been compromised asap

If you’d like to learn more, then read on… 

Are Passwords Still Important? 

We’re all so used to security technologies such as multi-factor authentication (MFA) or biometrics that it’s easy to overlook the humble password – but despite numerous predictions of its demise from thought-leaders such as Bill Gates and IBM, we have more passwords than ever before. 

In the past few years, we’ve seen major cyberattacks succeed thanks to compromised passwords – think Colonial Pipeline or Solarwinds, to name just two. Even in organisations where MFA is deployed, passwords can still be a vital first line of defence. For example, in an attack outlined by CISA, a compromised password ultimately allowed the attackers to bypass MFA entirely for the whole system, leaving them free to do pretty much whatever they wanted! 

MFA is a great way to help secure your systems and we recommend that you use it wherever possible, but good password security is also still essential – so what can you do to make sure you’re choosing a good password? 

We’ve got some pointers to help you out when you’re creating your account in the Take Note Secure Portal, or indeed anywhere else. 

Choose a Strong Password 

Many of the systems you use will have some password rules: minimum of 8 characters plus at least one uppercase letter, one number and a special character – that kind of thing. This is called password complexity and the goal is to prevent people from choosing passwords that are easy to guess. 

There’s also a benefit in terms of uniqueness because, in theory, higher password complexity means that a password is more likely to be unique. This is important because cybercriminals often use lists of common passwords as the starting point for their attack – the time requirement is extremely low, and you may be surprised how often it can work. If you’d like to read more about the most hacked passwords, check out this article from National Cyber Security Centre (NCSC) – their survey found that more than 23 million accounts breached used 123456 as a password, which we certainly hope you don’t do! 

However, there’s a big downside to relying only on password complexity – it makes passwords increasingly difficult for humans to remember. With the computing power available today, a password length of 8 characters doesn’t present the same challenge to hackers as it once did. In fact, given the right conditions, it may only take a day or so to crack even with strong password rules in place. 

Increasingly, systems are implementing longer minimum lengths – 10 or even 12 characters – but of course, that also makes it harder still to remember, which means we tend to fall into other password hygiene traps such as reusing the same password or storing passwords insecurely (not the intended use for post-it notes!).

One approach to this dilemma is to use the Three Random Words passphrase method. It does what it says on the tin – instead of trying to think up a random series of unconnected characters, the user picks three words and combines them into a passphrase. The result? Instead of having to remember a confusing jumble of characters like a%GH0bvKasY!, you could use something like BlueTurtleEscape as a passphrase. 

The advantages are longer passwords that are easier to remember and that are also more likely to be unique. It’s a great strategy for systems that do require a longer password (hint: such as the Take Note Secure Portal), and if password rules still ask for special characters or numbers then you can incorporate these into your passphrase. Do take care to avoid passphrases that may be easy to guess, though, such as OneTwoThree. 

The NCSC has some useful information about the Three Random Words approach. 

Avoid Reusing Passwords 

How many systems do you use that need a password? 20? 30? More? And that’s just your personal accounts – you might have a similar number for work as well. The bottom line is that it’s just not possible to remember a good unique password for all of them, and that means that we tend to get lazy. 

Even if you stop short of using the same password for every system, you might still think it’s okay to use the same password for a group of systems – for example, all your social media accounts. 

This is bad because it means that if one account is compromised the others are also at risk – cybercriminals trade lists of stolen credentials as if they were Panini Stickers, and they use these lists to test valid credentials against other systems, hoping to gain access. This is known as credential stuffing and it happens millions of times every day, with an estimated success rate of around 1%. 

To continue the social media example, if your Twitter account is hacked and you’ve used the same password for Facebook, then you may well find that account is also compromised. And if you’ve used the same password for your admin account to the server at work, well, you might have a few tricky questions to answer if the server is also compromised – you should avoid using the same passwords for personal and work accounts. 

One solution to an overload of different passwords could be to use a password manager. Although we’re often told that we should memorise all our passwords, NCSC argue that this is poor advice – what matters is that we store our passwords securely. So, while reaching for that pad of Post-Its is still a bad idea, a password manager could make you more secure – you’ll be able to use more unique and stronger passwords because you won’t have to remember them all and, depending on the software you use, there may be other advantages such as synchronisation across devices. 

NCSC promotes the use of password managers to improve security, and they have outline some top tips to help you. 

Change Compromised Passwords 

You’ve probably encountered systems that force you to change their password, say, every 90 days. The problem? After a suitable expression of frustration, most users’ response is to implement some minor variation that allows them to keep basically the same password – so password becomes password1, and then password2, and so on. 

Attackers know this, and in certain circumstances, this behaviour can significantly increase the chance that a hacker will crack your password. And although the idea of regular password changes was originally based on the amount of time it would take an attacker to crack your password, as we saw above, with modern computing power, those timeframes are now much, much shorter anyway. 

There’s a time and a place for everything, though, and the time that you absolutely should change your password is when you know (or suspect) that it’s been compromised. 

This could be something obvious – logins from unexpected locations, for example – or perhaps there are hints such as suspicious or unexplained activity in some of your accounts. You should change your password as soon as you notice anything like this, and if it’s a work account then it’s a good idea to give your IT department a heads-up too. 

You can also check ‘have I been pwned’ to see if a password you’re using is known to have been exposed in a data breach. While this doesn’t necessarily mean that your account has been breached, it does make it much more likely that hackers will try that password to access your account – so if your password is on this list, we’d recommend changing it at once. 

Further Reading 

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach 

 

Owen Grainger