In the wake of the recent increase in ransomware attacks on schools (see March news post), I’m staying with the theme of cyber security this month and was interested to see the report from the UK’s National Cyber Security Centre on the outcome of its recent survey into UK passwords.
A strong password is one of the simplest ways we can stop cyber criminals. However, the survey showed that our passwords are often made up of things people can easily predict, which makes them easy to crack by hackers:
The NCSC’s survey of UK passwords survey showed:
- 15% use their pet’s name
- 14% family members’ names
- 13% significant date
- 6% favourite sports team.
6% of those surveyed admitted using ‘password’ as all or part of their password!
The National Cyber Security Centre advises 3 actions we can take in relation to passwords which will improve our cyber security:
- Use a strong and separate password for email
- Create strong passwords using three random words
- Save our passwords in our browser.
They also advise turning on two factor authentication (2FA), updating devices and backing up data.
How often should we change our passwords?
Historically, we have been advised to change our passwords regularly and many employers make sure that we do this.
However, this approach is no longer advised by cyber security experts, which includes the National Institute of Standards and Technology (NIST). They say that this encourages us to fall into the trap of choosing weaker passwords rather than strengthening security. Such as:
bananajan
bananafeb
Bananamar
I definitely fell into this trap when forced to change my password frequently when working for employers in the past.
Instead security experts such as Graham Cluley, as well as NIST, recommend changing our passwords when we believe there’s a good reason to do so; e.g. if we think our password may have been breached, if we believe we may have chosen a weak password or if we have reused the same password in multiple places.
When there are good reasons to change our passwords, we should definitely change them, making them strong, hard-to-crack and unique. A password manager will generate random passwords and store them securely.