+44(0)1633 276003 [email protected]

Password securityPassword security is the first — and often weakest — line of defence against cyber-attacks. Unfortunately, pass­words are the cyber­se­curity measure we all love to hate.

Techies take a lot of flak for imple­menting password security, but we didn’t invent it. Call them pass­words, PINs, keys or whatever you like — they all work the same way: a pattern grants access to a restricted resource. As such, password security measures have existed throughout history and will be around in some form for a while yet.

That said, pass­words have never been as common as they are today — and cracking them was far harder without com­puters. These days, weak pass­words only create a false sense of security. So, we all need to know how to use pass­words effectively.

What Makes A Strong Password

First, let’s review what makes one password stronger than another:

  • Length — simple “brute-force” hacking methods test one char­acter at a time, so cracking long pass­words takes longer
  • Variety — mixing cap­itals and lower-case letters gives a hacker up to 52 tests to run per char­acter. Adding numbers adds ten more tests and punc­tu­ation can help, too
  • Unpredictability — “brute-force” attacks are inef­fi­cient, so hackers also test for common pass­words, real words, names, pet names and dates
  • Uniqueness — re-using a password just gives hackers a bigger reward for cracking it
  • Expiry — pass­words that expire quickly only allow hackers a short time to crack them
  • Secrecy — sharing a password weakens it, because you don’t know who else will see it. Without a written con­tract guar­an­teeing con­fid­en­ti­ality, sharing pass­words with work col­leagues, family and friends is rarely worth the risk. If you must do it, control the situ­ation and change your password straight afterwards

One fairly effective approach to this is to use a pass phrase. It’s easier to remember a long sen­tence con­taining a few numbers and punc­tu­ation than a long string of char­acters. However, sen­tence struc­tures and words are pre­dictable. So, it’s better to mix them up a bit. For instance, by using just the first two or three letters of each word, or the first and last.

So, cre­ating strong pass­words isn’t that hard. At least, not com­pared to having your bank account emptied out, or your entire identity stolen. Yet those dis­asters are still very common.

So, what goes wrong?

When Good Password Security Goes Bad

Well, we’re only human. Strong pass­words are hard to remember, and nowadays, we need lots of them. So, we create work­arounds, like:

  • Re-using the same password on many systems
  • Writing pass­words down (often in easily-accessible locations)
  • Using easily-remembered and/or pre­dictable passwords

These weaken password security. It’s like leaving your front door on the latch so that you don’t have to carry a pock­etful of keys. There must be a better way.

Well yes, there is — and it has been around almost as long as we’ve had keys. It’s called a keychain.

Password Managers — Modern Keychains

Mac users have had a built-in “Keychain” app since 1999. It’s a password manager program — and nat­urally, these exist for Windows and other oper­ating systems, too. A good password manager will help you create strong pass­words, then save you the trouble of remem­bering them. So, why aren’t they common?

Well, some feel that storing all your pass­words in one place is like putting all your eggs in one basket. Whilst this is true, it’s a lot easier to protect one basket than to juggle dozens of eggs.

So, if you prefer to keep your pass­words in-house, con­sider KeePass. It’s free and has ver­sions for most oper­ating systems — from Windows to Android and even Blackberry phones. This lets you share its password store across these systems. It is also open-source, so security experts can audit its code if necessary.

If you’re happy with storing your pass­words in a cloud-based system though, LastPass may be worth a look. This offers free and low-cost sub­scrip­tions, browser plugins and mobile apps. Whilst your pass­words are stored in the cloud though, only your master password can unlock them. That isn’t trans­mitted, so decryption happens on the device you’re using.

Beyond Passwords

Password phishing — a form of social engineeringStrong pass­words work well for most situ­ations, but they do have limits. The com­puting power available to criminal hackers for cracking pass­words is increasing expo­nen­tially. So, a password that takes 10 years to crack now may take only 5 years in two years’ time.

That’s why techies have to add extra limits on logins, like locking you out after a few typos. Contrary to popular belief, we’re always trying to make these more user-friendly. Unfortunately, things that would help you (like precise error mes­sages) also tend to help criminal hackers.

So, what are the alternatives?

Well, bio­metric systems like fin­ger­print scanners can work well. However, enough resources and incentive can crack any security — and acci­dents happen. That’s when the flaws appear. Unlike pass­words, bio­metric data can’t be changed quickly to restore security. It’s also an inherent part of our identity. This can give hackers — and agencies who val­idate such data remotely — sig­ni­ficant control over our identity.

“Social logins” are now also common. These let sites ask an “Identity Provider” like a social media platform to confirm your identity. Your login to the Identity Provider is nor­mally encrypted. However, “social engin­eering” attacks like phishing can bypass that pro­tection. So, these systems can be easier to hack than password managers.

A better option, favoured by Google and others, is “Two-factor authen­tic­ation” (2FA). This usually com­bines some­thing you know (usually a PIN or password) with some­thing you own. For example, a bank card, a key or short-range RFID device or a mobile phone that receives a short-lived “one-time password”. This extra security may seem redundant, but you’ll be glad of it if someone cracks your password.


Password man­agers make strong password security easy enough to use even in low-risk situ­ations. If you can’t do that, at least use a mixed-up pass phrase, with 2FA when available.

This article is part of a cyber­se­curity series that began here. Don’t miss the next part! Use the form in the sidebar to sub­scribe to email alerts for new articles