Are you one of the many people who use the same password for every login you need? Do you have all your passwords on post it notes around your computer screen?  Possibly you bought a lovely shiny notebook to store them in that sits on the desk where you can find it easily.

All these actions are potential risks to your business due to an unauthorised access to your business systems storing personal data.  This risks a data breach leading to business reputational damage or financial risk if investigation by the ICO highlights negligence and you incur a fine.

Passwords can be difficult to create, remember and manage without duplication, or using easily recognisable things such as names, dates of birth etc.

What is the recommended best practice?

Use Long Phrases

The standard advice has always been to create passwords of a minimum number of characters, using a mix of numbers, lower and uppercase letters and special characters.  This often leads to passwords such as Ch0c0lat3 which are easily identified by hackers determined to access your file, system or bank account.  Using phrases such as “donkey electricity cruise flowerpot” are proven to be more difficult to crack.

Change your password

Some systems, often in a corporate environment, will have an automatic periodic password change notification set up as a prompt.  Often what happens is the password is reused and updated from password1 to password2 to password3 etc which can easily be identified and hacked. Some systems will have system policies that prevent password reuse.  If your system doesn’t flag the use of a duplicates system best practice would be to create a completely new password every time. Updating your passwords quarterly is the industry recommended standard.

Don’t use easily recognisable passwords

Avoid using recognisable words such as password, your name or other dictionary works as these can easily be cracked.  Hackers may use software to repeatedly guess passwords by trying millions of combinations of letters – a method called a dictionary attack.

Use dual authentication

It is now commonplace to be given a widget to generate a one-time code for accessing online banking and making transactions such as transferring money, paying bills or creating new payees.  Dual authentication is used in addition to the standard username and password credentials to manage access to your system.  Where a systems offers this layer of protection it is advisable to set this up. I use Google Authenticator for my dual authentication however there are a number available.