A strong password is important to protect your identity, data and systems from unauthorised access.

People making basic mistakes in how they choose or handle their passwords is one of the main ways that computer systems are hacked (or “compromised”).

Here are some tips on choosing and using a secure password:

Complexity

  • Use 12 characters or more especially for externally facing systems such as e-mail or VPN. The length of your password is the best way to combat brute force attacks.
  • For IT infrastructure systems and accounts you log into less often, or which protect critical parts of your infrastructure, we still recommend using a long, complex, random string of letters and numbers and store this in a password manager.
  • For systems you log into regularly such as email, VPN or company systems, consider using a longer pass phrase (three or four words strung together. The words can be easy to remember for you, but because of its length is still difficult to guess or crack.
  • Using spaces, capital letters and numbers in your passphrase can make it more secure, but not if that means you need to write it down to remember them.
  • Avoid simplistic patterns of letters or numbers, or substituting numbers or symbols for letters (eg: P@55w0rd) – password cracking software is designed to easily predict all the simple patterns and character substitutions you can think of.

Usage

  • Don’t use the same password on more than one system. An attacker who guesses or steals your password could easily access other systems.
  • Change your password regularly – but not so often you have to resort to writing it down somewhere.
  • Don’t share passwords – if your corporate IT policy doesn’t already forbid it, never share passwords with colleagues – they should get their own credentials for the systems they need to access.
  • Never use public computers such as in airports or stations or internet cafes. There is a near-certain risk that your passwords will be stolen.
  • If you must use your company credentials on a shared computer even if it’s owned by someone you know well, change your password as soon as possible from a computer you trust, or notify your IT department / service provider to do this for you.
  • Don’t write your password down – If you must record your password somewhere, use good quality password manager software (see below).

Practical Steps

  • Balance security and practicality. Having a very complex password, or changing it too regularly can actually have a negative effect on security if it means resorting to writing it down.
  • Consider Two Factor Authentication – reduces the likelihood of unauthorised access by asking for another unique piece of information from something you have, as well as your password.
  • Use a password manager. A password manager app can help you keep track of your passwords, but if the computer you’re using it on is compromised, all your passwords may be compromised. Be careful. We like PasswordSafe, a lightweight Open Source tool designed by the respected security researcher Bruce Schneier.