Passwords: top tips for making yours stronger

Passwords: top tips for making yours stronger

GCHQ has released a report on password policy in an aim to “reduce workload on users, lesson the support burden on IT departments and combat the false sense of security that unnecessarily complex passwords can encourage”. We take a look at some of their top suggestions…

GCHQ claim that the increase in password use is mostly due to the surge of online services, including those provided by government and the wider public sector. This proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users. As they claim, inevitably users will devise their own coping mechanisms to cope with ‘password overload’, which includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies.

Attackers use a variety of techniques to discover passwords, which include: manual password guessing (using personal information such as date of birth, or pet names); intercepting passwords via emails and messages; ‘shoulder surfing’ (observing someone typing their password at their desk); installing keylogger software to intercept passwords when they are entered into a device; finding passwords which have been stored insecurely – to name but a few. The report, Password Guidance: Simplifying your approach, is free to download from and makes seven key recommendations, among them:

1)  The strongest passwords are made from four random words from the dictionary

Apparently, ‘marmoset-belgium-peanut-solstice’ would make a good password because it is easy to recall but difficult to guess.

2) Ditch complex passwords

A Bletchley Park-style jumble of letters, numbers and special characters can be too demanding and counter-productive.

3) Use password managers

Despite noting that “like any piece of security software, they are not impregnable and are an attractive target”, password management software (or even secure cabinets) provides ‘sanctioned mechanism’ to “help users manage passwords”.

4) Implement “two-factor authentication” for all remote accounts

Staff with remote logins should have to pass higher levels of security, such as a “two-factor authentication” to prove their identity.

5) Never use the same password for home and work

Users should understand that work passwords exist to protect important assets; re-using passwords between work and home compromises this security.

6) Use account lockout, throttling or monitoring to help prevent brute force attacks

Account lockout (a user has a limited number of attempts to enter their password), throttling (a time delay between successive logins) and protective monitoring (detecting malicious behaviour) are all in the GCHQ report.

7) Change all default passwords before devices or software are deployed

Obvious, maybe, but a rule many companies still fail to obey.

Read more on cyber-crime:

Cyber attacks: the past, present and future

Cyber crime: 10 things every business leader should know

About author

Alexander Parker

Alexander Parker

Alexander Parker is a freelance writer and filmmaker.

No comments

Time limit is exhausted. Please reload the CAPTCHA.