WIREDGOV

Guest Blog by John Kearney of DXW highlights top security tips for password management

Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:

• When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible.
• Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.

For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia.  As I write, the second most common password is “password”, “Password” is number 176, “password1” is at 207, “PASSWORD” is at 710 and “Password1” checks in at 2,968.  As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase, XKCD tells that story better than we could.

No matter how many times people are told never to use the same password across many sites & services, most still do just that.  It’s human nature to take the quickest & easiest option, and the one that means we won’t forget our passwords and get locked out.  Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach. 

As an individual you should:

• swap passwords for passphrases
• use a password manager
• update all your logins with randomly generated passphrases

As a business, you should:

• update your password policy & systems so people can use passphrases
• select a suitable password manager for your staff
• once the policies & tools are in place, make sure all users update their passwords
• read the NCSC’s guidance on updating your approach to your password policy