Why we know your password and what you can do about it
Guest Blog by John Kearney of DXW highlights top security tips for password management.
Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:
- When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible. Most users will capitalise the first letter in their password, or all of them, and add a “1” to the end. Sound familiar?
- Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.
For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia. As I write, the second most common password is “password”,“Password” is number 176, “password1” is at 207, “PASSWORD” is at 710, and “Password1” checks in at 2968.
In Top of the Pops fashion (for those of you who are old enough), here’s the current top 20:
As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase (see more on using these below), XKCD tells that story better than we could.
We don’t do what we’re told, and that can cause big problems
No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.
When dxw cyber carries out attack simulations, we search published data breaches for details of known users to help us identify the passwords they use to log into other places. When we find their passwords, we try them out against their accounts in the system we’re targeting.
During a recent attack simulation, this simple password lookup — that requires no technical skills at all — gave us access to the entire system at the highest possible level.
So what’s the good news (or help, what should I do now)?
Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach.
Some tips for individuals
As an individual you should:
- swap passwords for passphrases: combinations of meaningful words in a string. They are easier to remember than complex character strings and, if they are long enough, harder to crack. You can generate these with online tools like this one, inspired by XKCD. We definitely recommend this approach to ensure the phrases are truly random
- use a password manager: these are applications that act like a secure vault, where you can store all your logins and passwords. Most will also generate passphrases for you when creating a new login or updating an old one. Speaking of which, you should also…
- update all your logins with randomly generated passphrases: this might take you a bit of time, but it’s worth it. Start with the most sensitive things like email, financial and medical accounts, and update the others when you use them
Some tips for businesses
As a business, you should:
- update your password policy and systems so people can use passphrases. Many policies require symbols and numbers, which do little to guarantee security (as we explained above)
- select a suitable password manager for your staff, and train them in how to use it
- once the policies and tools are in place, make sure all users update their passwords. If you have lots of users, we recommend you do this gradually
- read the National Cyber Security Centre’s guidance on updating your approach to your password policy
Finally, as an individual or a business, you should always enable two-factor authentication (2FA) when it’s available.
2FA means you need to provide two ways of proving your identity. It’s used all the time by organisations like banks, for example, to take money from a cash machine, you need the card and your PIN. To log into your online banking application, you need your account details and a one-use time-limited code, generated by a custom gadget or sent by text.
Once you’ve done all that, we probably won’t know your password (but you still need to watch out for phishing).
A passwordless future
Humans are not good at passwords, but computers are. So maybe the long-term solution is to get rid of passwords and replace them with stronger ways of proving your identity, such as passwordless “magic” links or QR codes. We also expect to see an increasing use of standards like WebAuthn, which can be used to help prove your identity at the touch of a button, while also protecting you from phishing attacks.
We’ll blog more about this soon.
P.S. If you want to hear directly from Glyn Wintle, our CTO, about all things password related, here’s his talk at Ignite London 7.
Latest News from
Ofcom publishes findings from third Media Nations Report07/08/2020 14:25:00
Lockdown leads to surge in TV screen time and streaming in the UK.
Energy Technology List to expand to include smart technologies06/08/2020 11:25:00
Consultation open to explore scope, definitions, performance and eligibility criteria.
Public Safety & Security in the 21st Century05/08/2020 11:25:00
A major review of policing across England and Wales has concluded that a “radical rethink” is needed to enable forces to operate in a world in which almost half of...
ICO launches new AI and data protection guidance03/08/2020 11:05:00
The Information Commissioner’s Office (ICO) has launched new guidance on how to ensure data protection compliance when deploying artificial intelligence (AI).
Government launches £20 million in new grants to help SMEs recover03/08/2020 10:05:00
Grants will help SMEs access IT and digital advice services, as well as purchase equipment to adapt to or adopt new technologies.
Mayor of London calls for an Emerging Technologies Charter31/07/2020 16:25:00
Yesterday, the Mayor of London Sadiq Khan tasked his Chief Digital Officer, Theo Blackwell, and the Smart London Board with developing an Emerging Technologies Charter, which will set out the criteria which innovations should meet before they are deployed in the capital.
5G Create: Winning projects announced by government31/07/2020 15:15:00
The next wave of government-funded research and development projects aiming to put Britain at the forefront of 5G technology have been announced.
Global tech industry seeks certainty on EU-US cross-border data flows30/07/2020 11:25:00
techUK, ITIC and 15 other trade associations urge US and European regulators to begin negotiations on a successor agreement to the EU-U.S. Privacy Shield.