Telephone +44(0)1524 64544
Email: info(at)shadowcat.co.uk

A Short Note on Password Safety

Wed Dec 6 12:30:20 2017

There is a lot of discussions about what makes a good password. I have even been asked to/accused of giving some advice on the subject myself from time to time. As such it is a subject that I keep myself engaged with as to the best practices.1

Over the years I have read a number of articles and attended some good talks about passwords, security and general common sense techniques, and I thought I’d share some of these with you. As always there is no one piece of advice that will be best in every situation. We live in a world of competing levels of technology, from smart devices that can recognise fingerprints, retina or whole faces to mechanical combination locks on doorways containing only numbers and having just 4 digits.

A few items are clear.

  • The more complex the password the more secure it is. Despite what people think the more random (and larger) the character set the harder it is to crack.
  • Use passwords once, don’t re-use passwords for different sites.
  • Limit the location that passwords are written down, if at all.2
  • Always turn on and use 2 factor authentication (2FA) where it is available.

You should try to avoid some of the more common user errors. Despite hi-tech and flashy film and TV plot lines most passwords are gained via social engineering. Viewing a desk through a window to look at where passwords may be on whiteboards or post-it notes being a common one.3 However re-using simple passwords for sites with low security is a risk. Then there are the numerous ‘free’ sites that are actually just scraping data which they sell to anyone who has the money to buy.

  • Don’t write passwords where they can be casually seen, and never tell anyone where a password is written. Try to use aides instead of the actual password.
  • Don’t give your details away on social media except to those you trust, so avoid all the click-bait games and tests, or if you really like them make a fake profile with fake details and play them.
  • Never email your details to a 3rd party, reputable sites will never ask you for a plain text version of your details and will never do anything but force you to reset passwords or details if they are lost.

Advice

So we have to use a unique password and we have to have complex passwords. Few of us can remember a random string of 10 characters, never mind 20 which is a far better minimum for entropy. So there is only one choice. Use a password manager.

I would recommend Keepass as it is open source and there are versions for almost every device. The value of open source is that no organisation or country is responsible for the software that protects your data. No one has ownership as it is a community enterprise and Keepass is well respected.

A password manager will allow you to use one very strong password and then it can generate random passwords for all your sites. Of course you are still going to have to deal with machine logon and combination locks, or those stupid sites that enforce rules such as:

between 8 to 12 characters including one uppercase, one lowercase, one number and no special characters. Please note this is ridiculously easy to crack.

Or:

company policy means that we change passwords on a monthly basis, so please think up a simple password and use incremental variations of it each month to lower our overall security.

If you cannot use a password manager, or have a circumstance where it is inappropriate try and use as complex a password as possible and make sure it has no details related to you at all. Do not use pet, family, friends or favourite things all of those are easily spoofed via social engineering.

Always opt for the highest level of security even if it is the most inconvenient. A targeted assault is likely to succeed against anyone, but we can all mitigate the casual assaults.

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by [tweeting at @shadowcat_mdk][mdk]]


  1. One of the best articles on this subject I have read recently can be found here. ↩

  2. An immediate problem would be that using more complexity makes them harder to remember but that is easily answered. ↩

  3. I attended a talk where it was revealed a well-known financial institution was hacked by a pen tester who simply sat in the coffee shop opposite the building and watched the meeting room wall where they regularly showed secure details. ↩