We occasionally get complaints about how our website forces people to choose complex passwords.
But our website holds thousands of peoples personal details, and the security of that data may be only as good as your password choice.
Weak passwords are the most common source of data breaches that place you in a position of being open to identity theft, leading to enormous upheaval, distress and possible financial loss.
Using a password that is simple in complexity leaves your personal information vulnerable. Simple passwords are figured out with minimal effort by hackers. The following recommendations will help to keep you protected from the most common password security mistakes.
Safe Ministry Training passwords should follow these simple recommendations to increase complexity.
- Use uppercase and lowercase letters, numbers and special characters (#, &, *, etc.)
- 12 or more characters, (the minimum character count suggestion by most security experts)
- Refrain from using the same password across multiple sites, apps, and accounts.
But sticking to those rules is not enough – it also matters how you implement them.
An example of a bad password that actually uses the rules above would be: Pa55word1234!
That has upper and lowercase letters, numbers and a punctuation character… But it is a weak password that would be easily guessed by hackers,
An example of a good password that meets all the above recommendations could be: tallTrees4Me$.
For some people a variation on the above might be choose three or more random words that are meaningful to you. eg: correcthorsebatterystaple
Using all of these recommendations and thinking about how to use them helps to prevent basic brute force attacks. These attacks continually try combinations of letters, numbers, capitals, and special characters and are the most common form of attack against websites. The Safe Ministry Training site experiences targeted brute force attacks a couple of times each month.
The best password solution
The best way to manage complex password that are only used in one place is a password manager.
This is software that you install in your web browser and on your phone/tablet. You choose one really strong password that you use to access the manager’s ‘vault’ and from then on, you let the software handle things.
The software will securely store your passwords in an encrypted form in the cloud and when you land on the log in page for a website, the software will offer to fill in your credentials for you. – reliably and safely.
Because you don’t need to remember individual passwords, you can allow the software to create long complex passwords that are virtually unbreakable. For example: $ar8dtLhQiTq$aA!n3p&%JSku
This author has over 650 unique passwords stored in my password manager – and I only need to remember one of them.
There are many password managers around. Most are pay-for products like LastPass and 1Password.
This author uses a free password manager called Bitwarden and has over 600 different passwords used in different contexts stored in the system
Thinking more broadly:
Top 7 things NOT to include or do with your password:
1. Do not write it on or around your keyboard.
It may be easy or convenient for you to remember your passwords if they are written down. If they are under your keyboard, it opens the possibility of a breach in your security.
2. Do not use the same password across multiple web sites.
It may seem logical to use the same password across all devices, applications and sites. As far as password security goes, this is a bad practice. If someone were able to crack your password, it means that they would be able to access all your accounts.
3. Do not email your password (even if it is to yourself).
You should never email your password even to yourself as a reminder. Emailing your password to anyone is poor practice. There are a lot of email scams around that attempt to have you email sensitive information to them. Hackers send emails out to the masses with the hopes of getting a handful of legitimate responses. This is why Safe Ministry Training will not reset your password for you and then email it to you.
4. Do not use common words in your password.
Brute force attacks often use random combinations of words, special characters and numbers. They attempt to gain access to systems by trying as many combinations as possible as fast as possible. If you still want to use common words it is okay, but place some sort of variation to it. Use camel casing such as (tallTrees4Me$). Do not capitalize the first letter of the first word, only the first letter of subsequent words. Another variation is to replace some letters with numbers (ta11Tr33s4M3$) which increases password security even more.
5. Do not use your Birth-date, either written or numerical.
Changing your password to December241974, Dec241974 or 12241974 would be a poor choice. In this day and age it is not difficult to find out a person’s birthday. Hackers will use many resources to find it out. Government agencies have sites where you can look up court cases, birth certificates, marriage and divorce documents. Also offered are other documents which list date of birth as part of public records. Once your date of birth is found, it would only take a few guesses before being able to gain access. The same goes for any milestone dates (anniversaries, children’s birthdays).
6. Do not use your children, significant others, or family member’s names.
Using passwords such as “ILoveHeather” or “MyBoyAustin” is just as easy to guess. With the readily available transparency of social media profiles, they can research and discover family members names. As above, any identifying information related to you, your family and children is a poor choice.
7. Do not use identifying numbers (Medicare, Employee Number, Birthdate)
Some more information in regards to identifying information as passwords, social security numbers such as your Medicare number, are always a bad choice. Such numbers are a key part of opening bank accounts, financial accounts, government benefits, loans and the like. The intruder would now have an account of yours under their control and could start fraudulent accounts.