Tech - October 20, 2020
Busting a Password Myth
663, 663, markus-spiske-iar-afB0QQw-unsplash (1), markus-spiske-iar-afB0QQw-unsplash-1.jpg, 4260063,,, , 4, , , markus-spiske-iar-afb0qqw-unsplash-1, inherit, 659, 2020-10-20 13:10:00, 2020-10-20 13:10:00, 0, image/jpeg, image, jpeg,, 5760, 3840, Array

Paul Strout C-DPO, Owner & Chief Consultant of GDPR Assist talks us through password myths

Once upon a time, back when using the internet meant that nobody could make a phone call at the same time as posting to MySpace and Amazon just sold books, someone sat atop a mountain and carved into stone their initial thoughts on what good online security looked like.

Their thoughts around passwords were:

  • People are lazy,
  • Their passwords will be easy to guess

To mitigate this it was therefore decreed:

  • Passwords must be changed every 90 days, and
  • We will encourage people to use an ‘@’ instead of ‘a’,

Thus were the legions of the dark banished and all was secure in the world wide web.

However, what was overlooked, was that because people are lazy they will:

  • Version the password, by adding on a suffix with each change (“P@ssword1, P@ssword2, etc.), and
  • share this style across all the systems they use

So when LinkedIn, for example, were hacked a few years ago and passwords revealed, the sharing of formats meant that the other systems the user used were immediately accessible to the bad guys.

The National Cyber Security Centre publish a range of great advice for small businesses around improving security, and they have some more modern advice for passwords based upon the premise that people are lazy and current passwords are easy to guess (even with a ‘!’ instead of ‘1’ or ‘I’):

  • Use the three random words principle – take three words and crash them together, e.g. MonkeyWhiskeySunshine (flip through the pages of a book if you’re stuck)
  • Do not force a change every 90 days
  • Do not use it anywhere else
  • Use multi-factor authentication wherever it is available (e.g. user gets a code via sms as well as having to use the password)

It is better to keep hold of a good password than to regularly change a bad one for another bad one.

There’s more great advice in the NCSC’s guide for small businesses here


Photo by Markus Spiske on Unsplash

Latest blog posts

Read more
Contact Us

Have your own insurance challenge?

Get in touch with the RiskBox team for a solution.
You can reach us on 0161 533 0411 or
Alternatively, click the button below and fill in our contact form.
Chat with us