Password management & security: the do’s & don’ts
There have been campaigns recently to increase awareness about the need for secure passwords. However many web users still leave use themselves open to hackers.
They do this by choosing easy to guess and insecure passwords. A survey by Visa Europe found that “over three-quarters choose passwords relating to friends, family and dates”. Following a phishing attack on Twitter it was found that the five most common passwords are: password1, abc123, myspace1, password.
- 66% of users use the same password for more than one website
- 46% of users use the same 2 to 3 passwords for every website they access
- 45% of users use passwords made up only of dictionary words or names (the most easily cracked)
The lack of proper password security is one of the factors contributing to the ongoing problem of online fraud in the UK. The UK Cybercrime report identified the following worrying statistics:
- It is estimated that there were 84,700 cases of online identity fraud . Around 40% of all identity frauds are facilitated online.
- There were 255,800 cases on online financial fraud (up 24% from the year before).
- Around 830,000 businesses in the UK suffered an online/computer related security incident.
Do’s and don’ts
So how can you help keep your identity online more secure? These 5 points provided a guide to the do’s and don’ts for using passwords online
1. Don’t use the same password for many websites
Using the same password for many, or worse all websites, is like putting all your eggs in one basket. If one website is compromised, all other accounts are open too. Quite often, if one password becomes available to a hacker, they will try this password on many other major websites. eBay, PayPal, your online banking etc. A hacker will use automated tools to do this, so can try many websites very quickly.
Using a password management tool allows you to store and access many passwords very easily.
2. Do use strong, long, unique passwords
A password that includes a dictionary word or a name can be broken very easily. Password lists are circulated around the internet and are freely available; these not only include names and whole dictionaries, but also common passwords revealed when websites are broken into (such as the MySpace example mentioned earlier in this article).
A long password is important too. Using automated tools short passwords are easily broken. The website “lockdown” published the following examples*:
- 5 character password – 11.8 Million combinations – Instantly broken
- 6 character password – 308.9 Million combinations – 3 seconds to break
- 7 character password – 8 Billion combinations – 1.25 mins to break
- 8 character password – 200 Billion combinations – 35 mins to break
- 9 character password – 5.4 Trillion combinations – 15 hours to break
*Passwords use alphabetical characters, in a single case. Automated software runs on a modern desktop machine.
It is important that your password is as unique as possible. Strong, memorable passwords can be created in many ways; one example is to use a mnemonic. “Richard of York gave battle in vain” could be used to remember the password “RoYgbiv”. To make it more secure you should add numbers and upper/lowercase characters too, maybe replacing letters with numbers, e.g. swapping “g” for “9” or an “i” for “1”. You could make the phrase personal to help remember; “I love my fat cat Tibbles, she loves her food too” – “1lmfcTslhf2”.
3. Don’t rely on your browser to store passwords
Modern browsers include password storing features for your convenience. Making use of these features is a bad idea for a number of reasons:
- Almost all browsers have known security flaws which leave your passwords open to hackers and phishing attacks, even recent versions.
- More often than not, the password managers inside the browsers do not require a master password themselves, so are open to anyone who has access to your computer.
- There is no easy backup facility, so you can lose passwords if you change computer or have a hardware failure.
4. Do use a password management tool
A password management tool provides many helpful functions to help your security online. Storing log in details for different websites, automating the log-in process, creating secure passwords and more. These details are stored in one very secure encrypted file. This means you will only need to remember one password from now on. Make it a good password however; long, with both letters and numbers (see point 2) and always make a backup of the encrypted file and keep it safe.
KeePass is a free, open source, light-weight and easy-to-use password manager. There are versions for Windows, Linux, Mac OS X, and mobile devices. For a portable solution you can take anywhere, you can even run it on a USB stick!
Password management tools are also built into some security packages, like Norton 360 from Symantec, and often into laptops as well.
5. Do change your passwords
A good security policy is to change passwords often. In fact in high-security applications (such as the Government) passwords are only allowed to be used once. Then they issue a new one. This is excessive for most businesses, but changing your password every few months is a good idea. Using a password management package also means that you’ll never have to rely on remembering these either.
6. Turn on two-factor authentication
Two-factor authentication means that a user needs more than just a password to log-in, usually a physical device is required too. This means that even if a password is stolen an unscrupulous user cannot log in.
The second form of verification can be a code generator app on your phone (Google, Facebook), an SMS which is sent with a one-time code (Microsoft) or in the case of many banks there is a specific code generating device. In enterprise, Vasco Keys are commonplace. YubiKeys are an option to consider too.
It’s highly recommended to turn on Two Factor Authentication where it’s supported: https://twofactorauth.org/ It’s a lot of extra security for only a tiny additional log-in step.
If you forget your BFI passwords
If you forget your password for accessing your email, website statistics or online shop, you will need to contact us by email or phone.
For security reasons we can only issue new passwords (rather than tell you what they were), and will require proof of ID, which we will discuss at the time.