Thursday, 4 April 2013

Passwords and security

Password security has never been more of an important issue than it is today, and no doubt it will continue to be a very relevant topic for some time to come.

Generally, people who want to know how to tackle this will Google advice on the internet which can be quite helpful, but other advice not so much. It can often leave users frustrated about how to create a password and in quite a few cases they forget their password completely.

Below I provide what I'd term as reasonable practices for the average user.

Bad practice

- Don't use phrases which are too short. Try and keep the passwords above 12-14 characters in length.
- Don't use common words in passwords, even if they are long words.
- Don't use substitution of letters for numbers. This trick is so widely known as to provide minimal protection.
- Don't use personal phrases such as family member names, pet names, car makes, models etc. People who know you can guess these easily.
- Don't use phrases in reverse.
- Don't use elements of your username in any part of the password.
- NEVER write your password down on paper or in a unencrypted file.
- NEVER use the same password for more than one service or website.

Good practice

- Create a password that you can remember!
- If you manually enter passwords often, use a formula which is hard to guess but easy to remember.
- Use combinations of lower and upper case characters, numbers and symbols.
- Use words which are not common words, or ideally not even real dictionary words at all.
- If you want or need to store your passwords, use a method that encrypts them such as a password manager application.
- Consider changing your passwords often. Use good judgement to decide when and what services you use that are most at risk from others.
- Consider using two-factor authentication, an additional layer of security often using a phone or keypad unit.

Additional advice

One further bit of advice I would give is not to send passwords through email. This will probably end up with the password stored on your PC/Mobile and server in clear text for anyone who has access to obtain it. You should also be wary of services/systems which send you passwords by email as well.
The best practice approach for any service managing a new or changed password is to provide you with a page on a website base on your username (and possibly a verification email containing a temporary url) that you use to enter a password in yourself. A company or service should never need to know what your password is, and should be storing it on their systems using one-way encryption.

No comments:

Post a Comment