Change the way you think about passwords...

Four million TalkTalk customers in the UK woke up last week to find that the company had been hacked, meaning their bank details and personal data could have been accessed. Those customers are now being given the standard advice after all these attacks: change all your passwords.

I’m going to add something else to that advice.  Make this the last time you have to change all your passwords, by changing the way you think about passwords.

You should have a different password for every different site you visit.  Why should you have a different password?  Because, if the site you visit gets compromised by a criminal then that person potentially knows not only your password for your Internet Service Provider (ISP), but also your bank, your bank account number, your phone number, your security questions for the ISP (are they the same as for your bank?  Mother’s maiden name?  Uh oh.) 

Every responsible web business should secure your passwords by encrypting them, but they should also then make sure that not even they know what your password is (by doing something called ‘hashing’ them and then ‘salting the hash’).  Once your password is stored in this form it is extremely difficult to convert the encrypted password to something you can use, with the stronger passwords only being broken after hundreds of years of computation.

Let me ask you – does the last site you visited encrypt your password, then salt and hash it?  What level of encryption do they use?  Is it 256 bit AES or a less secure method?  I’m going to guess your answer is “I don’t know” or “how could I possibly know that” or “who has time to even think about that” – and that is why you need a different secure password for every site you visit.

Easy advice to give, but what is the practical implication of having lots of passwords?  Usually it means that you end up scratching your head trying to remember if your online shopping password was ’password’ or if that’s the password you used for the online auction site (p.s. if you use the word “password” for anything you really, really need to pay attention).

The sites don’t help because sometimes they will throw in random attempts to force us to choose more secure passwords.  “Your password must include a number and a special character”, as though ‘P4ssword!’ is any more difficult to guess than ‘password’. 

Some suggest that using three random, unconnected words is the answer to all cyber security.  I appreciate the sentiment but personally think it’s flawed, because it leads to passwords that are unmemorable, and an unmemorable password leads to you writing it down somewhere.  WHICH IS THE WORST THING YOU CAN DO!

So, let’s recap - you should have a different password for every log-in you use.  If you can’t remember if your three random word password was “dog amoeba blahblah” or “Crispy_clOud+ferrarr1” then you’ll be tempted to write it down, or worse, use the same three random word password for every site you visit. 

So, what’s the solution to this conundrum?  Simple.  Use a password manager. 

There are plenty of free services and apps to choose from that will allow you to generate and store hundreds of different passwords to use on your computer, phone or tablet.

This means that you only have to remember one password – the password for your password manager.  If you are going to use one, you need to make this password strong and memorable.  How do you do that?  You make it as long as possible while still memorable.

Stop thinking about passwords and start thinking of ‘passphrases’.  The longer your password, the more possibilities there are to guess.  The standard alphabet means that each character of your password has 52 possible values (all the letters of the alphabet, upper and lower case), so a text based password is inherently more secure than a numeric one (10 possibilities).  The strongest passwords are sentences long.  Choose something that you will remember.  Include some punctuation, some capitalisation, throw 1n the odd number (see what I did there?) and you’ll have a cracking password.

Do not write that password down.  Ever.  Do not share it.  Do not use it on any other sites.  That password is literally money in the bank.  It is your wallet and your phone. 

Turn on ‘two-factor’ authentication on every site that has it.  This will mean that if anyone wants to pretend to be you, they need not only your password, but also access to your phone.  It also means you will get an alert when someone tries to log in to your account.  It’s a bit of extra work logging in to sites, but it will improve your security exponentially. 

Next time there is a national story saying ‘you must all change your passwords’, you won’t have to worry, because you know, that all of your passwords are different .

Think about it – if you lose your back door key, no one tells you to change every lock in the house.  The reason people are being told to change all their passwords is because they know, from experience, that people tend to use insecure passwords on multiple sites.  If you don’t have multiple passwords, you’re letting the thieves have your skeleton key.  Invest the time in getting cybersecure – it’s the equivalent of buying good locks for your house, along with some decent lighting, a burglar alarm and CCTV. 

If you change your password now for all your sites and use the same password, trust me, you’ll be doing it again in a couple of months when the next hack rolls in.  The criminals are getting smarter and better, and it’s up to us to make it as hard as we can for them.