14.CyberSecurity: Selecting a secure password

In order to keep any data safe on a networked computer system we must prevent any access by anyone who is not authorised to view that information. In order to allow or deny authorisation we need a system of accounts and we need to be able to identify the user. In order to log in to an account we frequently use a user name and a password. In order to make that account more secure we might tie it to an email account and a mobile phone as well. We could also add a fingerprint or voice recognition, or use the iris of the eye as a way of recognising the user.

A good password is a long and unique list of random characters, symbols, numbers, the longer the better. This is easy for a password manager to use, but hard for us to remember. A master password for the password manager could be a string of five completely unrelated words e.g. "Tulips running snow tea blue" Now think of an image or a story that links them e.g. visualise some tulips running through snow at tea time with a blue sky. This is one password that you have to memorise and only ever gets used as the password for your password manager.

If you only ever have a very few passwords you could use this five unrelated words technique for each of them.

Far too many people use simple passwords that are easy to guess, and many have been exposed by data breaches. If you haven't already done so visit the website https://haveibeenpwned.com/ and enter each of your email addresses. If your email address is on a breached list think carefully about what other data might have been revealed. Change your passwords for any account that has been breached, and for any account where you might not have used unique passwords. You might also want to consider using a different email address. For banking and financial websites you might want to use a free secure email address such as one from protonmail.

The National Cyber Security Centre (NCSC) has a lot of good advice on passwords https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere

and you can download the list of the commonest passwords - avoid using any password on this list!

A criminal can easily set a computer to try any of the common 100,000 - if yours is on this list change it now!

Many accounts throughout the Internet use an email address as the user name.  HaveIBeenPwned shows that one of my email addresses was found in four separate breaches of databases, and the lost data from spambot may have included my passwords. The big problem is that for the spambot I don't know which accounts might have been compromised.

The data from verifications.io didn't include passwords but could have included other information useful to a hacker. This is a business that provides a verification service for many other sites.

My response to these breaches is to use a different email address and a new unique and random password for each account that used that email address. I have also closed down accounts that I no longer use - after changing their passwords.

If your email account is on the breached list it also makes it much more likely that you will receive phishing emails and spam - another good reason to change to a different email address.