Passwords

Let me begin by asking some questions.

What is the most important online service password you have?  Possibly your banking, online shopping, social media or is it something else?

Do you use the same password for more than one online account or system?

Do you use weak passwords? 

When was the last time you updated your passwords – and I mean all your passwords?  

Do you even know what all your accounts and passwords are?

How many online accounts and passwords do you think you have?

Passwords are like the keys to your front door. 

• You wouldn’t use the same key for the front door, the garage, the shed, the car or bike, your WORK.
• And you wouldn’t use a weak lock on your front door, you’d use a STRONG five-lever mortice lock 
• And you wouldn’t give your keys to a stranger in the street or leave them lying around for anyone to find.

So why do it with Passwords?

Passwords prove who we are, they prevent unauthorised access, they protect what matters. They are the keys to the kingdom!

This is where you come unstuck if you only have the one password for everything.

If a fraudster finds your email address and password for an unrelated service, lets say your supermarket shopping account, the first thing they will do is try and log into your email account with the same password. Once into your email account they can probably access any other service you use as they now have the ability to change the password if necessary. Also, by compromising your email account and sending scam emails out from your valid email address to your friends and relatives, they have immediate verification in their eyes. It’s a great way for criminals to quickly access a high number of people for further scamming. 

But how does a fraudster find your password in the first place? The most common method is from a Data Breach.

A data breach is when a company’s website is compromised and information is taken. Your username and password may be included in the data taken. Even though the password will probably be encrypted, cyber criminals can use software that uses brute force to try millions of passwords a second to crack your password. The simpler the password, the easier it is to crack. Many passwords will take a fraction of a second to crack.

Passwords continue to be a major weak point across the internet. Most of the problems stem from password reuse, passwords that are not complex or otherwise easy to guess. 

I do  understand it’s hard to remember all your passwords – unless you just have the one of course.

The National Cyber Security Centre (the NCSC) recommends using three random words.

• It should be between 12 and 16 characters.
• It should have upper and lower case letters, plus numbers.
• It should contain special characters or symbols.
• You should avoid using familiar names, sports clubs and birthdays, anything that could be found on social media about you.
• And you should not reuse passwords.

But how can you possibly think up different passwords for all your accounts, let alone remember them. You can use a formula.

Let me explain what I mean.

Take three random words like Brasso, Epson and Wimpy, non dictionary words are better and add special characters between them.

Brasso£Epson@Wimpy

And that’s the basis for our passwords. But passwords need to be unique to each online account you have and this one doesn’t have a number.

So, let’s say we want a password for Facebook. Add a capital F and k for the first and last characters of FACEBOOK and an 8 as Facebook has 8 characters and we have a unique password.

FBrasso£Epson@Wimpyk8

For Amazon the password would become – ABrasson£Epson@Wimpy6

For EasyJet the password would become – EBrasso£Epsont@Wimpy7

Use 3 words that you will remember. Don’t use family names, maybe use something from your past, an old neighbour, first car, place you met. You could use the 1st letters from the words of a favourite song, maybe sotr (Somewhere Over The Rainbow) and merge our F £ K into that …

Fsotrk£Epson@Wimpy8

Or perhaps an old telephone number you remember.

If three words seems excessive to you and perhaps you don’t use Online Banking for example then maybe use 2 words.

Fsotrk£5768118

Here, I have just used 2 words using the song initials and a phone number mixing in the F, k and 8 from facebook. 

So you only need to remember how you always create your passwords, you don’t need to remember every password itself. And even if someone were to gain access to one of the passwords, I doubt they would recognise the pattern.

Don’t be put off by the enormity of the task. If you only change the one password, go and change your email account password. And do it today. Then maybe tomorrow or next week, change your social media password and so on.

Some accounts are not so important though and contain no personal information, so maybe a weaker or re-used password would suffice, but you need to assess what information you have supplied to make that decision.

It is important that you do not forget the basis for your password, so write it down somewhere and keep it safe, but do not keep it with your smartphone, tablet or computer. Is Brasso£Epson@Wimpy going to mean anything to anyone if they find it in your phonebook or on a card in a drawer.

If you don’t want the hassle of making up passwords, or trying to type them in occasionally, you may want to think about a password manager. Most password managers will suggest a strong unique password when you are creating an account and store those passwords for you so you don’t have to remember them. When logging in to a site, they will help and autofill your email address and password for you. You have probably seen this as most popular browsers have a built-in password manager and you probably use it without realising.

If you only have a single device then you could stick with the password manager that comes as part of your browser, but if you have multiple devices, particularly when you can not use the same browser, then you may want to think about a password manager so your passwords can be used across your devices.

Another important security measure is 2FA or Two Factor Authentication. Many sites that hold your Personal Information now offer 2FA and some even implement part of it by default. Basically, with 2FA you not only need a password to sign in, but you also need something physically that is in your possession, for instance your mobile phone. You won’t need it all the time, just like you don’t have to type in your password every time you access your email, but if you try and access your email from a different device, or sometimes a different location, or country, then you will need to enter a PIN in addition to your password to login and that PIN will be sent to your mobile phone by TXT message. 

If your email account, social media account, or any other high value account offers 2FA, we strongly recommend that you set it up, as it means that if anyone has stolen your password, they’d need to invest a lot more time and effort into specifically targeting you before accessing any of your accounts.

If all this sounds daunting to you, by all means come into the cafe and one of us will help you through it.

Article by Liam Dasey. Liam is one of our volunteer Digital Champions, but he is also a volunteer Digital Ambassador for West Sussex County Council and Get Safe Online, helping raise awareness about online safety in the community.