Paul Strout C-DPO, Owner & Chief Consultant of GDPR Assist talks us through password myths

Once upon a time, back when using the internet meant that nobody could make a phone call at the same time as posting to MySpace and Amazon just sold books, someone sat atop a mountain and carved into stone their initial thoughts on what good online security looked like.

Their thoughts around passwords were:

• People are lazy,
• Their passwords will be easy to guess

To mitigate this it was therefore decreed:

• Passwords must be changed every 90 days, and
• We will encourage people to use an ‘@’ instead of ‘a’,

Thus were the legions of the dark banished and all was secure in the world wide web.

However, what was overlooked, was that because people are lazy they will:

• Version the password, by adding on a suffix with each change (“P@ssword1, P@ssword2, etc.), and
• share this style across all the systems they use

So when LinkedIn, for example, were hacked a few years ago and passwords revealed, the sharing of formats meant that the other systems the user used were immediately accessible to the bad guys.

The National Cyber Security Centre publish a range of great advice for small businesses around improving security, and they have some more modern advice for passwords based upon the premise that people are lazy and current passwords are easy to guess (even with a ‘!’ instead of ‘1’ or ‘I’):

• Use the three random words principle – take three words and crash them together, e.g. MonkeyWhiskeySunshine (flip through the pages of a book if you’re stuck)
• Do not force a change every 90 days
• Do not use it anywhere else
• Use multi-factor authentication wherever it is available (e.g. user gets a code via sms as well as having to use the password)

It is better to keep hold of a good password than to regularly change a bad one for another bad one.

There’s more great advice in the NCSC’s guide for small businesses here

Photo by Markus Spiske on Unsplash