Sam Vesey 25th April 2019 Advice, Cyber Security 6 Minute

"What do you mean my password is incorrect!? I'm sure that's my password. Really, I have to reset it, again!"

- Me, every 3 months...

Let's face it, we've all been there and worn the t-shirt. With the amount of passwords that we all have to remember now, it's a wonder there's any room left for anything else.

But, joking aside, it's important to remember that all of this comes with an important caveat. Your password is all that separates malicious users and you when it comes to accessing company resources, so think carefully about what you use and why.

With that warning out of the way, we can move onto the nitty gritty of passwords. We've assembled the advice we typically give clients below.

The best place to start - The Basics

This may seem obvious to most so apologies if we're teaching you to such eggs. When you access any resource, you typically provide two pieces of information. To identify who you are, you use your username and, as you're the only person who knows your password, your password to prove it. Thus, one form of authentication is used, passwords (this is relevant later on).

When to change your password

So, originally the advice from the National Cyber Security Center (NCSC from here on in) was to reset your password every 90 days. Problem with that is now that we access 100s of services from our computers, this is typically impossible and creates issues like listed earlier. The NCSCs advice now is, you only need to change your password if you have reason to believe it's been compromised.  Your IT provider will be able to notify you of unauthorised attempts.

Get notified if your password is exposed

Troy Hunt has created an awesome free tool called Have I Been Pwned. You can use the tool to check if your password has been lost in a major data breach, think; TalkTalk, Adobe, Dropbox, etc...

If you're an IT co-ordinator or administrator you can also get domain wide notifications, for example any email accounts under Pretty handy!

Consider increasing the factors

We touched upon authentication factors at the start of this post and I promised we'd come back to it, so here it is. Your traditional login process is a one factor process, but if you can increase the amount of verification provided then the authenticating party can be even more certain you truly are who you say you are. 

Passwords fit the category of "something you know", as a starting point it's a good idea to include a "something you have" factor. Think RSA token, or SmartPhone app. For best products that work with typical SME environments we recommend Duo.

Use the tools availiable to you

If we're honest, you probably already know about this one, otherwise the amount of password resets raining down on you would be crippling!

But, there are loads of password managers to help you keep track. Our favourite is KeePass, but you could also look at; LastPass, OneLogin, 1Password and for more detail check out Cnet's article.

Tips for creating passwords

When it comes to passwords, length is absolutely key. Our standard advice follows three random words conjoined, with numbers as a special character;


Or our personal favourite, a song lyric with random first letter capitalisation;


(n.b. any budding hackers out there, none of our passwords follow this so don't try :-))

Signing off

I've tried to cover a lot of ground in this post so it's a pretty thin sprinkling of information on each one. If you'd like any more information, do get in touch!

Related posts