Online security FAQs: setting a strong password

28th April, 2016

Think of your password as the metaphorical ‘key’ to unlocking your online ‘front door’ – you don’t want to be handing it out to just anybody.

You’ve probably heard this before, but it bears repeating – there are two important tips when it comes to passwords:

  • DO choose one that is impossible for others to guess
  • DON’T use the same one on every service

The first one seems obvious, but it’s more than just refraining from using pets’ names or birthday/anniversaries.

Disclaimer: This information is intended to be general in nature. For information that is customised to your business circumstances, please seek specialist advice. 

Password encryption

Websites store your password in encrypted form. This means it has been encoded by a one-way process to an unreadable string of characters.

To authenticate your login, they simply encode your submitted password by the same process and compare the result with your stored, coded password – a process far easier than decoding your original password from the encrypted form. Depending on how stringent the website’s encryption is, the decoding task can vary from “really hard” to “nearly impossible” – but no system is perfect.

If a web server is hacked, the encoded password file can be downloaded. Widely available password-cracking tools exist to help attackers decode stolen password lists. They start with huge databases of commonly-used passwords (“Password123” isn’t as clever as it used to be…) and add:

  • Entire dictionaries (from multiple languages)
  • Massive lists of proper names (of humans, animals, even sports teams)
  • TV show, song and movie titles
  • And so on…

What’s more, the cracking tools will automatically try combinations and variations – capitals/lowercase, plurals, adding numbers or symbols before and after the words, etc. It can do this because modern computer hardware can test billions of combinations per second against a stolen list of encrypted accounts.

READ: Online security FAQs: protecting your data when upgrading

Password creation and length

This is why many online sites these days require a mix of upper and lowercase, and/or numbers and symbols, to be part of your password. This vastly multiplies the scope of possible passwords the cracking tools have to try. And if there are no real words in your password at all, they have to settle for brute-force – AAAAA, AAAAB, AAAAC, and so on.

Here’s where the other factor comes into play – length. No matter how mixed up your password is, if it’s too short it can be guessed quickly. (Remember, they can test billions per second.)  These days, six- or seven-character passwords are all but pointless. Even eight-character passwords are pretty minimal.

Ten characters is suggested as a minimum length, and you’ll want to add at least one character every year or so in future, as computer chips get ever faster.

Varying passwords

So now you have a password that looks like an animal walked across your keyboard, and it’s 10 or more characters in length. If, like many, you use the same password across multiple systems because it’s too hard to remember different passwords, there are good reasons why it’s a good idea to vary them.

Sure, banks and other businesses which handle money are very secure and unlikely to fall victim to a hacker attack. But if you use the same password for your bank as you do for other sites, suddenly your bank account is only as safe as the weakest protection on all those other sites.

Password management

How do you manage all these near-random passwords?

Here are two suggestions:

  • Password management tools exist which can store passwords for you. With one master password you can activate the tool, which will then recognise which website you’re trying to log into and enter the password you’ve stored for that account. I’ve known many people who swear by these tools, though I haven’t used any and can’t recommend a particular product. Just do a web search for “password management software” and read a few reviews, if you’re interested. One feature to look for is cross-platform compatibility – make sure the tool offers versions supporting all desktop and mobile operating systems you use.
  • Use a passphrase initialism system. Think of a phrase that is meaningful to you, and use the first letters of each word. For example, “It’s always darkest before the dawn” can become “IADBTD”. To this, you can then add an abbreviation of the name of the website in question to make it distinct for each account, and then toss in some symbols. With this scheme, a 10-character eBay password might be “IADBTDeb##” – but you should come up with your own variation on this, of course!

Here’s another tip I’ve had to learn the hard way – when coming up with your password scheme, check whether it’s easy to type on mobile keyboards. One I used to use was very quick to dash off on a desktop or laptop keyboard, but was a real struggle on a mobile phone.

It’s a good idea to change passwords periodically. Annually is a good guide, in most cases, unless you work in a corporate environment which mandates a more frequent schedule.

Do NOT keep a written list of your passwords at home or at work. That’s about as smart as writing your PIN on the back of your credit card (yet I’ve seen people with university degrees who write their password on a sticky note and keep it on their monitor, in full view of the front window).

It’s not a bad idea to keep a list of sites on which you maintain accounts, so that when it comes time to change passwords, you won’t overlook any. And it’s definitely worth taking a few minutes or so out of each year to go through and update them.

One last point – unless you work alone, it’s a good idea to establish a written password policy for your office. It doesn’t have to be written to a specific format, or to any particular standard. Search for one online and adapt it to your needs, communicate the policy to your team and make it a part of your induction process for new staff. Check in regularly to make sure it’s being followed.

Keeping your business information safe and protected is vital.
That’s why MYOB uses industry best-practice security protocols
to keep your data safe, secure and private.
Read about MYOB’s Security Commitment here.