Cyber Security

Strong, unique passwords

This just cannot be emphasised enough, and has to be lesson 101. The simplest way to improve your cyber security at ANY level is to use a strong password, and make it unique for each service. This might sound like a lot of effort to achieve, but it doesn't have to be.

What is a strong password?

This is obviously objective and open to debate. On the one hand you might think that a long and complex password, something like c\c;b3H)E7x>r8p2 for example, is ideal. Now let's be clear, this is very definitely a strong password, but who could remember this without writing it down somewhere, or saving it in a OneNote page? And then also think about the need for it to be unique. There's no way any normal person could remember dozens of passwords as complex as this. Dictionary words and names are easy to remember, but even replacing some of the letters with numbers and characters, for example Fr3dd1e, still results in a relatively simple password. A password which fulfils both of these criteria is what is ideally required.

Maybe base your password on a line from one of your favourite songs? Take for example "Naughty boys in nasty schools, Headmasters breaking all the rules". Take the initial letters of each word (maybe replace some of them with non-alpha characters if you wish) and you get NbinsHbatr. That's the beginnings of a pretty strong password which is also relatively easy to remember.

Alternatively you could use the recommendations of the National Cyber Security Centre or xkcd and just use multiple random words. The science behind this is that a very long password is much harder to crack using brute force (i.e. trying every possible combination of characters), and because the password is made up of real words it means it's much easier to remember. With this in mind we've created a nifty little tool for generating passwords, you can find it here. Just keep pressing the "Generate" button until it creates one that you can remember. For example stealroundconcrete, you can conjure up a cartoon image in your mind of someone struggling to lift a huge concrete ball into the back of their car, all red faced with sweat pouring out.

What about our strong password's uniqueness though?

Again, it would take someone with a great memory to create a strong password, using either method above, for each website or application they used. Personally I choose a strong "core" password, and then tailor it to suit the website or application it is going to be used for. For example you could use the first and second letters of the website domain, then include your core password, then add on the third and fourth letters of the website domain. So to tailor our strong password for Amazon we would use Amstealroundconcreteaz, and then for Facebook we would use Fastealroundconcretece, and so on.

But this strong, unique password is so similar in each case, wouldn't a hacker be able to decrypt this if they figured out two of my passwords?

This is the clever bit. Passwords, unless the website or application has particularly poor security, are always "hashed" before they are stored in a database. Hashing is a one-way algorithm whereby the password is encrypted, but it is impossible to reverse the encryption. Even the most basic of hashing algorithms will turn your unique passwords into radically different sets of characters. For example, using MD5 (which is pretty much the most basic of hashing algorithms) our Amazon password is stored as c91e30109656cb094d05530ecd5eb3c9, and Facebook as 7ff9a8b04a4818bda686a40779e2f682. Only two character placeholders are the same!

As a parting comment, if the service your credentials belong to offer an option to protect them with two factor authentication, use it. This will prevent access to your account by hackers even if they manage to obtain your credentials.

Posted 09/12/2021