Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Making stronger passwords Charles Mabbett
5 July 2016

hulk by ablackinkartist d7vvbwf

If ‘open sesame’ was a password, just remember how in the tale of Ali Baba it didn’t work out so well for the 40 thieves and their treasure trove. Consider then how well an easy-to-guess password will protect yours.

From the annual ‘worst password’ rankings that come around, ‘123456’ and ‘password’ are two that often top the lists - for five years in a row, according to one survey!

From the results, it seems not enough people are putting a high enough value on their personal information or even aware of the dangers of slack password protection. Common sense tells us that if a password is a padlock, a stainless steel one must surely be better than a flimsy plastic one.

Creating and using a strong password is a privacy-enhancing response to the many threats that abound on the internet. Identity theft, for example, is a very real danger and one of the ways it can come about is through compromised online accounts, emails or electronic devices.

This PC Mag article advises people to think of passwords as being like underwear. You should change them often. Don't share them. Don't leave them out for others to see.

How do you know if you’ve got a strong password? There are the usual elements of mixing capital letters with numbers and symbols but if you want to be doubly sure, there are ways to carry out simple stress or strength tests to help you identify what is a poor, reasonable, or strong password.

Here’s one tool that we came across and the really helpful thing is that its creator Tyler Akins has made the software open source and available for anyone wanting to use it on their websites. And if you also want ways of coming up with a tough password, there’s also an automatic password generator to help you.

Some browsers, like Safari, generate random passwords. Another type of password product is Dashlane which allows users to manage and store multiple different passwords.

Maybe you have a favourite password checker or password manager? If so, let us know.

Image credit: Incredible Hulk by ABlackInkArtist.

2 comments

,

Back

Comments

  • Humans are incredibly bad at passwords, to quote xkcd (https://xkcd.com/936/) "Through 20 years of effort, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess".

    For many, many, years now I have relied exclusively on a Password Safe to generate complex random unique passwords for every system I use that requires them. It means I now only know 3 passwords:
    1) to unlock my phone;
    2) to unlock my PC; and
    3) to open my password safe.

    All other passwords, for everything from Twitter, to online banking, to network admin accounts are stored in the password safe, and are 16+ characters long (my personal default is 32, but frequently has to be adjusted for particular sites with bad policies) and completely random/unique mix of letters, numbers, upper case, symbols etc.

    The particular password safe I use is from https://pwsafe.org/, primarily because it's open source, cross platform compatible (Ubuntu, OSX, Windows, Android, iOS personally tested), and uses 256bit Twofish encryption. This means that it's nice and secure, runs on any of my devices wherever I am, and (in theory at least) has had numerous sets of more qualified eyes than mine run over it to check for security flaws. As a bonus, it also runs in a "disk-on-key" environment, meaning I don't need admin rights on any PC to install/use/access the safe.

    I save this encrypted safe into my Dropbox account, which then synchronises to my phone, tablet & PC, allowing me access to my sites wherever I am at the time, and keeps my copies up to date between work, home, and commute versions. And because it's a locally encrypted file, leaks of files from Dropbox are not the end of the world.

    In order to safeguard the integrity of the password safe, I followed the advice in the xkcd comic #936 linked at the start, and chose a password that was in fact a sequence of four passwords that I was cycling between before going "all-in" on the unique front.

    As CTO, I ensure that my IT department all follow the same process for their own passwords within the organisation, and provide frequent security presentations to all staff in the company where I recommend the above procedure as a quick & easy way to avoid being the weakest member of the herd & using the "123456" scenario.

    Posted by Phil Tanner, 05/07/2016 11:55am (18 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

  • Great post, I agree password managers are low hanging fruit that can dramatically improve the security posture of most individuals.

    Personally I use 1Password which has worked well for me across multiple devices. I also like that the passwords are stored in an encrypted database on my devices rather than centrally in the cloud.

    LastPass is another popular option but they store passwords centrally in the cloud and therefore make themselves a target for hackers. Incidentally they were hacked in 2015 so I'd recommend avoiding providers that adopt a central storage model.

    Posted by Rich Chetwynd, 05/07/2016 1:54pm (18 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries