Skip to main content
Comms & Technology

A Best Practice guide to Passwords

By 14th December 2017April 4th, 2019No Comments

Tony Edwards
Tony Edwards

Cost Area Lead for ICT

Our guide to password security and best practice.

Tip 1 – No more Post-it notes:

With the number of services, subscriptions and applications that require passwords continually increasing, it is no wonder so many people rely on Post-it notes etc for keeping track of their passwords.

Post-it notes stuck to keyboards, monitors and the like is something you see in almost any office environment. However, keeping passwords out in the open can leave your/company/other entities data at high risk. If data is also breached you may be in line for a significant fine. So if you have passwords on Post-it notes or scraps of paper around your desk/PC area, use an alternative solution.

LastPass, Identity Safe and TrueKey are examples of low-cost password management-applications that will log your passwords in a more secure manner using AES-256 encryption – click here for more information or there is a great article here, which is a beginners guide to Advanced Encryption Standard. .

Tip 2 – Adopt the 8 + 4 rule:

This rule helps you to build passwords that are strong as steel. Use a minimum of eight characters with one upper and one lower case, a special character like an asterisk, and a number. The more random the better. Make sure the numbers and symbols are spread out through the password. Bunching them up can make the password easier to hack.

Tip 3 – Depersonalise:

There is a gulf of difference between a convenient password and a secure password, and everyone within your organisation needs to understand this. Using personal information, like your first name or date of birth, within your passwords is akin to a timebomb waiting to go off. If your organisation suffered a data breach and the company HR data was obtained, this sort of information will be the first combinations that hackers would try to access further information.

Tip 4 – Different applications/accounts need different passwords:

If you have multiple users in a department all using the same applications, you may be tempted to give them all the same credentials to access. This corner-cutting needs to be avoided, and each user or device needs a different password.

Tip 5 – Character limit and dictionaries:

The average person can only remember 10 characters or fewer. Long passwords run the risk of being written down so they can be remembered.

It might sound safe to go to the dictionary for a password, but hackers actually have programs that search through tens of thousands of words with dictionary-attack programs that have been around for years.

Tip 6 – Adopt passphrases to help remember passwords:

Abbreviations are usually immune to dictionary attacks and can be easier to commit to memory. For example, Richard of York Gave Battle in Vain is a mnemonic aid for recalling the colours of the rainbow. So TSWCOT, for The Sun will Come Out Tomorrow, is a good example for a secure password – just remember to add symbols and numbers.

Tip 7 – Additional barriers:

Think big-picture – while you may have a complex password which would be difficult to crack, it is still crackable given time. Consider employing further authentication methods, such as fingerprint scanning, or the use of Authenticator applications, to add those extra barriers to your data.

Tip 8 – Your password is YOUR password

Nobody should ever tell anyone else their password. It is the job of your systems administrator to act as a gatekeeper here, so if someone in your organisation needs to know a password, they can to speak to them to gain access to the account in question.

The table below (provided by Curatrix Group) indicates how long it can take for a password to be cracked depending on the pattern. If a password takes more than six hours to crack, hackers are likely to abandon the attempt and move on – unless you (or your company) are being targeted specifically.