The low down on passwords.

In today’s busy world, our use of different apps helps us streamline our work, our day, our life. We feel lost without access to our email, bereft without Facebook to check on our friends, out of the loop if we can’t access LinkedIn or twitter and that’s without mentioning all the other apps we use in our daily lives, such as travel apps, Instagram etc.

But what do all of these apps have in common that drives us totally mad – a password to log in. The National Cyber Security Centre (NCSC) reported that in 2016, the average UK citizen had 22 online passwords and that users accessed an average of four websites using the same password. That sounds about right – who can remember so many passwords? And that doesn’t include the logon information that we use at work!

I know I’m preaching to the converted here – we all know that we ought to use different passwords. At work, it is often dictated by password policies where passwords have to be changed every x months, with convoluted rules to what you can and can’t use – so difficult that you have to write the new passwords down somewhere. But on your own personal accounts, well it’s just too boring/difficult/easy to forget – it’s far easier to use a simpler method of remembering. Maybe you use a family members’ name, a pet’s name with a number thrown in – maybe a year that’s important to you so that you don’t forget it. And once you’ve come up with a good password, it’s so much easier to reuse it on another site. What’s the real harm?

It isn’t until you get hacked that you discover what the harm really is. The malicious hacker who changes your Facebook password and posts in your name, with links to other phishing sites (that’s probably how you got hacked in the first place). It can take a long time to get your Facebook account back into your own hands again and some people have never been able to do so. All of that history lost. Having your email account hacked can be far worse than just having it used to send out phishing emails or ransomware. Imagine a hacker being able to read all of your emails, see which bank you use and directly target you with a carefully crafted email with all of the security information on it. Or send you an email that looks like it has come from Amazon with valid information about something you recently bought in order for you to click the link to log in to Amazon so that they can steal your Amazon login details. By the time you have realised, they could have changed your login details and purchased loads of stuff on the credit card you leave on Amazon for ease of use.

So how can we protect ourselves? Surely we don’t have to change our passwords every month or have impossibly complicated passwords. There are easier ways to protect ourselves and the first way is to understand why having different passwords is important. The second is to understand about what a secure password is. Having a password that is your husband’s name followed by the year of your wedding, or your daughter’s name and her birth year is not secure. The hackers know all the tricks. They have a database of names and dates e.g. Philip1996, Philip1997, Philip1998 etc., and they use this database to try as many combinations as they can – this is called a bruteforce attack. The database also contains common words/phrases e.g. password, computer, Liverpool, iloveyou, to further expand the hackers’ ability to crack your password. Also, don’t just change letters for numbers e.g. p455w0rd – this is well-known within the hacking world. If you want a laugh, go to www.ncsc.gov.uk to see a list of the top 100,000 regularly used passwords.

Here are some things to try to make your password strong:

1. Check that your account hasn’t been hacked already. Go to www.haveibeenpwnd.com to see if your email address has been compromised in any of the known data breaches that this website collates. This is a secure website and does not retain your information.
2. Check that your password isn’t one that the HaveIBeenPwnd database has in its repository by going to https://haveibeenpwned.com/Passwords and entering your usual passwords. Again this is totally secure as you are only submitting the password and not the full log in details.
3. If either of these show that your account or password have been compromised, make sure that you change the password.
4. The NCSC’s latest advice for users is that you make your password from 3 separate totally unrelated words e.g. bustelephonetree. If you add a number and a special character e.g. $ or !, that will make it even stronger. However, this does mean that you will have to have different passwords for every site/app which may make it hard to remember.
5. I have created a new method of creating passwords for my Masters Degree in Computer Security. Contact me on info@the-computer-guru.co.uk for more information.

However, in my opinion, the best way to keep passwords strong and safe is to make each of them completely random and use an app to keep them all together and to populate your apps when you need to log in. These apps/programs are called Password Managers and are often used in work environments but are less common in personal use. There are many free Password Managers, so it doesn’t have to cost the earth but it may take a little effort to get used to using them. The effort is well worth it to keep yourself safe.

Another tip is to use 2FA – Two Factor Authentication – whenever offered. This means that if you want to log in to an app, you will be sent an email or a text as an additional verification.

Debra Samuel is The Computer Guru for one-to-one training, maintenance and general computer advice.

www.the-computer-guru.co.uk