Cyber Scotland Week - Passwords

A password is a secret word that is only known to the user and is used to confirm their identity when they log into a system.

We use them to protect systems from unauthorised use and to protect our own accounts from misuse by others. Your login and password is your personal key to the system and must never be shared with anyone else.

The general rule is the longer the password the harder it is to guess or crack.  Long passwords can be made easy to remember by using a passphrase, typically three or four random and unrelated words joined together.  There are a few simple rules to this:

Don't use easily guessable words like secret, password, 123456, or your name When it's time to change it, don't use the same password with a number that you increase by one every time.

Use a passphrase - something like PaintingCandleClockMirror - you can add random numbers or special characters in this if you want to.

Don't use the same password for more than one account and never use the same password for work and personal accounts.

There are some good password generators available free of charge on the Internet.  Diceware is easy to use and has a simple explanation of why passphrases are a good idea and stronger than standard passwords:

https://diceware.dmuth.org/

One of the most common forms of cyber attack uses a technique called credential stuffing.  This is where an attacker gains access to a weak system and gets access to account information.  They will then use that information to attempt to log into other accounts that the credentials may have access to.  If a user has used the same password for multiple systems, then there's a high risk that an attacker can gain access to them.  You wouldn't use your banking password for your eBay account so don’t use the same password across systems!

We can protect against this by using multi factor authentication or MFA (sometimes called two factor authentication or 2FA) where it is available.  This normally uses a one time code generated by an authenticator app in addition to the normal username and password.  Council systems use MFA to protect access wherever they can, and you can do the same for your personal accounts to keep them secure.

Using passphrases makes a password a lot easier to remember and much more secure (remember longer is stronger) but having to use a separate password for each account means that they all have to be remembered and that can be another problem.  Fortunately, there are free programs called password managers available to help with this, they will hold all of your passwords in a secure encrypted database and are available for all devices and operating systems. 

We recommend Keepass/KeepassXC for this, it's easy to use and has some useful features like a built-in passphrase generator. If you have a work mobile, then it's available on the app store.

Of course, the good password practice (and MFA) used at work can be applied to your personal accounts at home and we would recommend you do!

In summary:

• Use separate passwords for each account you have
• Use three or four random words joined together to form a passphrase
• Never use a work related password for personal accounts
• Use a password manager to help you keep track of your passphrases