+44(0)1633 276003 [email protected]

Password securityPassword security is the first — and often weakest — line of defence against cyber-attacks. Unfortunately, passwords are the cybersecurity measure we all love to hate.

Techies take a lot of flak for implementing password security, but we didn’t invent it. Call them passwords, PINs, keys or whatever you like — they all work the same way: a pattern grants access to a restricted resource. As such, password security measures have existed throughout history and will be around in some form for a while yet.

That said, passwords have never been as common as they are today — and cracking them was far harder without computers. These days, weak passwords only create a false sense of security. So, we all need to know how to use passwords effectively.

What Makes A Strong Password

First, let’s review what makes one password stronger than another:

  • Length — simple “brute-force” hacking methods test one character at a time, so cracking long passwords takes longer
  • Variety — mixing capitals and lower-case letters gives a hacker up to 52 tests to run per character. Adding numbers adds ten more tests and punctuation can help, too
  • Unpredictability — “brute-force” attacks are inefficient, so hackers also test for common passwords, real words, names, pet names and dates
  • Uniqueness — re-using a password just gives hackers a bigger reward for cracking it
  • Expiry — passwords that expire quickly only allow hackers a short time to crack them
  • Secrecy — sharing a password weakens it, because you don’t know who else will see it. Without a written contract guaranteeing confidentiality, sharing passwords with work colleagues, family and friends is rarely worth the risk. If you must do it, control the situation and change your password straight afterwards

One fairly effective approach to this is to use a pass phrase. It’s easier to remember a long sentence containing a few numbers and punctuation than a long string of characters. However, sentence structures and words are predictable. So, it’s better to mix them up a bit. For instance, by using just the first two or three letters of each word, or the first and last.

So, creating strong passwords isn’t that hard. At least, not compared to having your bank account emptied out, or your entire identity stolen. Yet those disasters are still very common.

So, what goes wrong?

When Good Password Security Goes Bad

Well, we’re only human. Strong passwords are hard to remember, and nowadays, we need lots of them. So, we create workarounds, like:

  • Re-using the same password on many systems
  • Writing passwords down (often in easily-accessible locations)
  • Using easily-remembered and/or predictable passwords

These weaken password security. It’s like leaving your front door on the latch so that you don’t have to carry a pocketful of keys. There must be a better way.

Well yes, there is — and it has been around almost as long as we’ve had keys. It’s called a keychain.

Password Managers — Modern Keychains

Mac users have had a built-in “Keychain” app since 1999. It’s a password manager program — and naturally, these exist for Windows and other operating systems, too. A good password manager will help you create strong passwords, then save you the trouble of remembering them. So, why aren’t they common?

Well, some feel that storing all your passwords in one place is like putting all your eggs in one basket. Whilst this is true, it’s a lot easier to protect one basket than to juggle dozens of eggs.

So, if you prefer to keep your passwords in-house, consider KeePass. It’s free and has versions for most operating systems — from Windows to Android and even Blackberry phones. This lets you share its password store across these systems. It is also open-source, so security experts can audit its code if necessary.

If you’re happy with storing your passwords in a cloud-based system though, LastPass may be worth a look. This offers free and low-cost subscriptions, browser plugins and mobile apps. Whilst your passwords are stored in the cloud though, only your master password can unlock them. That isn’t transmitted, so decryption happens on the device you’re using.

Beyond Passwords

Password phishing — a form of social engineeringStrong passwords work well for most situations, but they do have limits. The computing power available to criminal hackers for cracking passwords is increasing exponentially. So, a password that takes 10 years to crack now may take only 5 years in two years’ time.

That’s why techies have to add extra limits on logins, like locking you out after a few typos. Contrary to popular belief, we’re always trying to make these more user-friendly. Unfortunately, things that would help you (like precise error messages) also tend to help criminal hackers.

So, what are the alternatives?

Well, biometric systems like fingerprint scanners can work well. However, enough resources and incentive can crack any security — and accidents happen. That’s when the flaws appear. Unlike passwords, biometric data can’t be changed quickly to restore security. It’s also an inherent part of our identity. This can give hackers — and agencies who validate such data remotely — significant control over our identity.

“Social logins” are now also common. These let sites ask an “Identity Provider” like a social media platform to confirm your identity. Your login to the Identity Provider is normally encrypted. However, “social engineering” attacks like phishing can bypass that protection. So, these systems can be easier to hack than password managers.

A better option, favoured by Google and others, is “Two-factor authentication” (2FA). This usually combines something you know (usually a PIN or password) with something you own. For example, a bank card, a key or short-range RFID device or a mobile phone that receives a short-lived “one-time password”. This extra security may seem redundant, but you’ll be glad of it if someone cracks your password.


Password managers make strong password security easy enough to use even in low-risk situations. If you can’t do that, at least use a mixed-up pass phrase, with 2FA when available.

This article is part of a cybersecurity series that began here. Don’t miss the next part! Use the form in the sidebar to subscribe to email alerts for new articles