This week saw a surprising announcement. The person who told the world back in 2003 that we needed to have complex passwords that we changed every 90 days has admitted he was wrong. Security expert Bill Burr now says he was barking up the wrong tree. He is not alone. The head of the UK’s GCHQ Cyber Security Centre agrees. He reckons that the typical Internet user needs to recall 600 digits each month, and that’s not something even the top spies are expected to achieve.
Back in 2003, of course, most of us used only a handful of services. There was no Twitter, no Facebook and Amazon had only just started selling products other than books, CDs and DVDs. The world was a very different place back then. Now, you probably log into dozens of different sites each day and maybe have several hundred online services that you use from time-to-time. All of these require passwords. If you follow the advice from Bill Burr, it means you need to remember hundreds of unique and complex passwords. It is beyond our capabilities, unless we are a World Memory Champion.
Is it any wonder that people resort to unsafe practices? Indeed, in my local WHSmith the other day I saw in the stationery section that I could buy a lovely little notebook with the word “Passwords” emblazoned on the front. Fantastic. Just leave that on your desk, and anyone could log into anything on your behalf. But this notebook represents our difficulty with remembering hundreds of complex passwords; we can’t.
That is more of a security problem than we might think. When we realise, we can’t remember everything we take steps to aid our memory – notebooks, sticky notes, or abandoning the complex password idea and going for something easy to remember each time. The suggestion that we all use complex passwords and change them regularly has led to an increase in unsafe practices, largely because it is just too difficult to do what the security “experts” suggest.
There are, though, some options you can take to deal with your passwords. One way is to have a “formula”. This would make every password unique, complex, but easy to remember. For instance, your formula might be the month of your birth, followed by the first and third character of the website you are logging into, and then your first child’s middle name followed by an exclamation mark. So, if your month of birth were December you would start with 12, if you were logging into Facebook, you’d need f and c and then if your child’s middle name was Angela that’s what you’d type next. It would mean your password for Facebook would be 12fcAngela!. Your login for Twitter would then be 12tiAngela!. This kind of formula produces unique passwords that you can always recall. However, if someone had a handful of your passwords, they could soon crack the code. But the chances of that happening are relatively slim. If a hacker were to steal your password from one website they would need your password from another website to calculate the code, so it is unlikely to be much of an issue.
However, the spooks at GCHQ have a much easier solution meaning that you never have to remember passwords, yet you will always have complex and unique passwords for every site you visit. GCHQ now recommends that you use a “password manager” software programme. There are several of these available, but two lead the pack regarding flexibility and security. One is LastPass, and the other is Dashlane. Both are available free of charge, but they also have “premium” versions with additional features. In a recent computer magazine analysis, LastPass won the “gold award”, and DashLane got silver – but the difference was minimal with the costs of the premium service being the negative element for Dashlane as it is marginally more expensive than LastPass. Ultimately, the analysis and reviews of these two programs show they are very similar and significantly ahead of the competing programs.
The way these password managers work is to offer the creation of complex passwords, storing them in encrypted form on your device. Whenever you log in to that website or app again, the password manager automatically fills in the correct login details. You don’t need to know or remember the passwords because the management software is doing that for you.
Both of these programs also offer you advice on your current passwords, suggesting which ones may be compromised and pointing out weaknesses. The programs can change your passwords automatically for you, by logging into those websites with weak passwords and changing them to highly complex ones that you never need to know.
The advice from GCHQ is to get a password manager so that you never have to worry about passwords again. The management software does it all for you. That means your logins are protected even more securely than at the moment. This is because the passwords will be more complicated and you will have no need to write them down or have reminders anywhere. The passwords are encrypted so no-one can steal them easily – unlike a notebook with “Passwords” on the front cover…!
These days it makes no sense to try to remember hundreds of passwords and every sense to allow a program to do that job for you automatically. It will make your system safer. And remember, in May 2018 when GDPR comes into force you are going to have to be able to prove you have cyber safety measures in place. Sorting out your passwords could be a step in the right direction.