BFI®, business clicks with us

We're recruiting! Find out more

0845 519 4727

If you can't compete online...
then you can't compete

... and now
2 offices!

1 Team,
1996 working
with over
1,700 clients
to date

Password management & security: the do’s & don’ts

July 14th, 2009, by

Password management & security: the do's & don'ts

Despite campaigns recently to increase awareness about the need for secure passwords in the UK, many web users leave use themselves open to hackers by choosing easy to guess and insecure passwords. A survey by Visa Europe found that “over three-quarters choose passwords relating to friends, family and memorable dates” whilst following a recent phishing attack on the website MySpace it was found that “the five most common passwords are: password1, abc123, myspace1, password and blink182 (a band).”

A recent UK Government report carried out as part of the Get Safe Online campaign found the following information:

  • 66% of users use the same password for more than one website
  • 46% of users use the same 2 to 3 passwords for every website they access
  • 45% of users use passwords made up only of dictionary words or names (the most easily cracked)

The lack of proper password security is one of the factors contributing to the ongoing problem of online fraud in the UK. The UK Cybercrime report identified the following worrying statistics:

  • It is estimated that there were 84,700 cases of online identity fraud during 2007. It remains the case that around 40% of all identity frauds are facilitated online.
  • It is estimated that there were 255,800 cases on online financial fraud in 2007 (up 24% from 2006).
  • Around 830,000 businesses in the UK suffered an online/computer related security incident in 2007/08.

Do’s and don’ts

So how can you help keep your identity online more secure? These 5 points provided a guide to the do’s and don’ts for using passwords online

1. Don’t use the same password for many websites

Using the same password for many, or worse all websites, is like putting all of your eggs in one basket; should one website be compromised, all other accounts are open too. Quite often, if one password becomes available to a hacker, they will try this password on many other major websites – eBay, PayPal, your online banking etc. A hacker will use automated tools to do this, so can try many websites very quickly.

Using a password management tool allows you to store and access many passwords very easily.

2. Do use strong, long, unique passwords

A password that includes a dictionary word or a name can be broken very easily. Password lists are circulated around the internet and are freely available; these not only include names and whole dictionaries, but also common passwords revealed when websites are broken into (such as the MySpace example mentioned earlier in this article).

Using automated tools, short passwords are easily broken too. The website “lockdown” publishes the following examples*:

  • 5 character password – 11.8 Million combinations – Instantly broken
  • 6 character password – 308.9 Million combinations – 3 seconds to break
  • 7 character password – 8 Billion combinations – 1.25 mins to break
  • 8 character password – 200 Billion combinations – 35 mins to break
  • 9 character password – 5.4 Trillion combinations – 15 hours to break

*Passwords use alphabetical characters, in a single case. Automated software runs on a modern desktop machine.

It is important that your password is as unique as possible. Strong, memorable passwords can be created in many ways; one example is to use a mnemonic. “Richard of York gave battle in vain” could be used to remember the password “RoYgbiv”. To make it more secure you should add numbers and upper/lowercase characters too, maybe replacing letters with numbers, e.g. swapping “g” for “9” or an “i” for “1”. You could make the phrase personal to help remember; “I love my fat cat Tibbles, she loves her food too” – “1lmfcTslhf2″.

3. Don’t rely on your browser to store passwords

Modern browsers include password storing features for your convenience. Making use of these features is a bad idea for a number of reasons:

  1. Almost all browsers have known security flaws which leave your passwords open to hackers and phishing attacks, even recent versions.
  2. More often than not, the password managers inside the browsers do not require a master password themselves, so are open to anyone who has access to your computer.
  3. There is no easy backup facility, so you can lose passwords if you change computer or have a hardware failure.

4. Do use a password management tool

A password management tool provides many helpful functions to help your security online; storing log in details for different websites, automating the log-in process, creating secure passwords and more. These details are stored in one very secure encrypted file, meaning you will only need to remember one password from now on. Make it a good password however; long, with both letters and numbers (see point 2) and always make a backup of the encrypted file and keep it safe.

KeePass is a free, open source, light-weight and easy-to-use password manager. There are versions for Windows, Linux, Mac OS X, and mobile devices. For a portable solution you can take anywhere, you can even run it on a USB stick!

Password management tools are also built into some security packages, like Norton 360 from Symantec, and often into laptops too.

5. Do change your passwords

A good security policy is to change passwords regularly; in fact in high-security applications (such as the Government) passwords are only allowed to be used once before a new one is issued. Although this is a little excessive for most businesses, changing your password maybe every few months might be a good idea. Using a password management package also means that you’ll never have to rely on remembering these either.

If any of your passwords fail on the points above, change them now.

If you forget your BF Internet passwords

If you forget your password for accessing your email, website statistics or online shop, you will need to contact us by email or phone.

For security reasons we can only issue new passwords (rather than tell you what they were), and will require proof of ID, which we will discuss at the time.