View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 13, 2014updated 22 Sep 2016 11:05am

How to create the most awesome passwords

With Safer Internet Day taking place this week, CBR has teamed up with Lee Weiner, SVP of products and engineering at security management firm Rapid7, to bring you a series of useful guides that will help you stay safe online. Here, Lee looks at the importance of passwords.

By Duncan Macrae

Many people grumble about passwords and they can certainly be a bone of contention for users. After all we live so much of our lives online these days – from banking to dating – and need to protect hundreds of different applications and services, how is it possible to remember so many different symbols and combinations? In order to avoid being locked out of their eBay account or being unable to access Facebook, most users opt for the easy route and use the same password for everything. And it’s likely that they adopt the same approach in the work place.

Plus users can be pretty laissez-faire when it comes to keeping that password a secret, many even write it down on a post-it note on their desk. Or they’ll happily share it with a colleague who is having trouble getting access to an application. Passwords might be a serious pain in the behind, but they are a part of our reality and quite possibly the best option when it comes to providing a manageable, enforceable control for all users. Tokens get lost or stolen and aren’t practical for the majority of services and even Apple has failed to convince the world at large that biometrics are up to the test.

So we’re stuck with passwords for the time being and your users need to understand why they’re important and how to use them to best effect.

Why are passwords important?

Having a password is the most basic level of protection you can have for the information you are storing in services or applications, be it your personal Facebook account, your online banking site, or your company’s customer tracking system. The problem is that everything is online now, and everything needs a password. So it’s tempting to make your password simple and easy to remember. Perhaps you have a go-to password that you’ve used for everything since university. Or maybe you write your password down so you don’t forget it.

If you do any of those things, you’re probably in the majority, not the minority. Creating long, complex passwords that are unique for every service you use is a challenge, and remembering them all is near impossible. The problem is that simple, easy to remember passwords are also easy to crack, making it easy for cyber criminals to steal your identity.

Once attackers have your password, they have access to your account and any information stored in it. From there, they may be able to do all sorts of things, and what was intended as a form of protection could become a threat in itself. For example, if you use the same password across multiple sites, once an attacker has compromised your information on an unimportant one, they can turn around and use it on a site you do care about. Or say you use different passwords, but the same security questions. They could find the information for your security questions and then set up a fake "change password" request using your information and actually lock you out of an important account.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Bottom line: passwords are an important security measure for every aspect of your life, including work.

How can you protect yourself?

There are a number of things you can do to reduce your risk and increase the protection offered by passwords. Check out the next page for our top tips.

Make passwords long and complex

Try to make your password more than 12 characters and use at least one lower case character, one upper case character, one number, and one special character. Shamefully, not all sites have enabled this yet, so it may not always be possible, but do it where you can. Try stringing unconnected words together and mixing up the letters, numbers and special characters to make them extra hard to guess.

Don’t reuse passwords

It is very difficult to remember unique passwords across everything. You can tackle this by using a service like LastPass, which securely stores your passwords. All you need to remember is the password for your LastPass account. If you do reuse passwords across sites, be vigilant for any suspicious activity and at the first sign of trouble, change the password on any other sites where it was used.

Regularly change your password

Passwords should be changed every 8-12 weeks. Yes, it’s a hassle, but if an attacker has gained access without you knowing, it stops him from being able to keep coming back over and over again.

Two-factor authentication

Where possible, favour services that offer two-factor authentication and enable it. The way this typically works is that it combines something you know (your password) with something you have (e.g. a generated code sent to your phone) to provide a double layer of protection.

Never use a default password

Many devices and applications come with default passwords set up. You need to change these as soon as possible during your set up process. Using a default password is the same as using no password at all.




Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.