Does your company force a password every couple of months? Well, you may be surprised to hear that the latest recommendations on password security from the National Cyber Security Centre (a part of GCHQ) is to avoid this practice. In fact, this isn’t even new. They published this password advice in 2015!
Forcing users to change a password too often will usually lead to one of two things. Either they will choose something that is hard to remember, using a combination of capital and lower case letters, numbers and punctuation, but usually quite short as it takes longer to remember and type in.
Or they might use a password that is easy to remember and just change a number at the end of their password string. Maybe they will do something a little more complicated, but it is extremely common for subsequent passwords to be very similar.
In the first case, this is very inconvenient for users and they may end up having to reset passwords regularly, which can often lead to them doing the second scenario. Why is this an issue? Well, if a hacker gets hold of a password it isn’t going to take them long to figure out minor changes, or even complicated changes if the base word is the same. These passwords are also usually relatively short as users are still forced to add numbers, punctuation and include both upper and lower case characters, so they keep them short and easy to remember.
Short passwords can be brute forced in a relatively short amount of time even by your average home computer. For example, the random 8 character password of “+Df?x7;@” would take about 12 days to brute force normally. However, if the hacker has access to a botnet, this could be reduced to 4 hours or less. It is hard for a human to remember, but really easy for a computer to figure it out.
The current recommendation is to use a password made up of 3 or 4 random words that have nothing to do with you. For example, something like, “AngryCarrotWhispersAlone” would take more than 160,000 years to brute force as it is 24 characters long but is easy to remember. It helps to have something random that conjures strong imagery in your head to aid with remembering. You don’t want to have to write it down anywhere to remember it!
- Use a different password for every site. If one site gets compromised, you don’t want hackers to be able to use your password to log into other sites.
- If you speak more than one language, you could include an uncommon word from a different language. If not, you could use a colloquialism or the name of a really obscure celebrity. This is all just to add another layer of protection against hackers who could use lists of common words to try and speed up the hacking.
- It can be hard to think of something completely random. Try using a random word generator like https://www.textfixer.com/tools/random-words.php to get some ideas. After generating words a few times, I came up with, “FrozenArcaneParachuteShipment” and “ShotgunHoneybeeMohawk”
- Check how strong your password is using Kaspersky’s strength checker. It even tells you how long it would take to brute force your password. https://password.kaspersky.com/
- If possible, use two-factor authentication, password managers, completely random long strings of varying characters and ignore most of what I’ve said so far. Those methods are a lot more secure. This is just advice for if these are not available and you have to remember passwords.
- Your password might already be compromised. Click here to read about a massive data breach from earlier this year, including a way to check to see if you’ve been compromised!