Did you know that today, May 2nd, is World Password Day? To mark the event, I thought I’d post a quick update, based on a new approach to password management.
Both the UK National Cyber Security Centre (NCSC) and US National Institute of Standards and Technology (NIST) have published changes to their recommendations for managing passwords in the past two or three years.
- Whereas previously we were advised that changing passwords regularly eg every 30 or 60 days was a good thing, they both now suggest only changing them when they are compromised (i.e. if you think someone else might know your password). I have to confess this doesn’t sit easily with me, but I understand their reasoning. We all have so many passwords to remember that changing them less often means we’ll have a better chance of remembering them.
- Use a different password for every account, for every website etc. This is more tricky, and both NIST and NCSC suggest using a Password Manager (this is an app for your phone or that you can run from your laptop / desktop) which helps you track and maintain your passwords.
- Rather than using long, difficult to remember collections of upper and lower case letters, numbers and symbols, use three unrelated words and make sure the total length is more than 12 or 14 characters (I prefer a minimum of 15). The reasoning for this is simple. Suppose you used P4$$w0rd as your password: it meets all the criteria for complexity, but it’s obviously not secure. A simple to remember phrase like SunnyTreeRoad is not as easy to guess, and is less likely to appear on one of the many lists of known / common passwords.
- Enable Two Factor Authentication on your key accounts like email and banking / finance. This means the bad guys would have to have your phone or other source for 2FA as well as your password to get in to your account.
Also, if you want to see examples of bad passwords, the NCSC have published details of the most hacked passwords here.
Finally, if you want to see whether your email password has already been hacked, head to https://haveibeenpwned.com/ and sign up. This free service will tell you if your account has ever been compromised, and will also alert you in future if someone hacks it in future,