Password Security Reminder

As we all live in times where we all need to be very cyber aware, may I make a quick reminder about password security and that we ask you never to use the same password for more than one account and never use the same password for work and personal accounts please.

Please bear in mind the following points:

• We all use passwords to protect systems from unauthorised use and to protect our own accounts from misuse by others.  Your login and password is your personal key to the system and must never be shared with anyone else.
• The general rule is the longer the password the harder it is to guess or crack.  Long passwords can be made easy to remember by using a passphrase, typically three or four random and unrelated words joined together. 
• Don't use easily guessable words like secret, password, 123456, or your name
• When it's time to change your password, don't use the same password with a number that you increase by one every time.
• Use a passphrase - something like PaintingCandleClockMirror - you can add random numbers or special characters in this if you want to.
• Don't use the same password for more than one account and never use the same password for work and personal accounts.

There are some good password generators available free of charge on the Internet.  Diceware is easy to use and has a simple explanation of why passphrases are a good idea and stronger than standard passwords:

https://diceware.dmuth.org/

One of the most common forms of cyber attack uses a technique called credential stuffing.  This is where an attacker gains access to a weak system and gets access to account information.  They will then use that information to attempt to log into other accounts that the credentials may have access to.  If a user has used the same password for multiple systems, then there's a high risk that an attacker can gain access to them.  You wouldn't use your banking password for your eBay account so don’t use the same password across systems!

We can protect against this by using multi factor authentication or MFA (sometimes called two factor authentication or 2FA) where it is available.  This normally uses a one time code generated by an authenticator app in addition to the normal username and password.  Council systems use MFA to protect access wherever they can, and you can do the same for your personal accounts to keep them secure.

Using passphrases makes a password a lot easier to remember and much more secure (remember longer is stronger) but having to use a separate password for each account means that they all have to be remembered and that can be another problem.  Fortunately, there are free programs called password managers available to help with this, they will hold all of your passwords in a secure encrypted database and are available for all devices and operating systems.  We recommend Keepass/KeepassXC for this, it's easy to use and has some useful features like a built-in passphrase generator. If you have a work mobile, then it's available on the app store.

Of course, the good password practice (and MFA) used at work can be applied to your personal accounts at home and we would recommend you do!

We really appreciate your support and help with password use.

Many thanks,

Thomas Aldred

ICT Services Manager