Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)
Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

2.1 How to pick a proper password

This section is part of the amber and green pathways.

Download this video clip.Video player: ou_futurelearn_cyber_security_vid_1042.mp4
Skip transcript

Transcript

How to pick a proper password

PAUL DUCKLIN
Hello everybody. I'm Paul Ducklin. And this is a two-minute tutorial on How to pick a proper password.
Number one. Make your passwords hard to guess. The crooks have dictionaries, books, movie scripts, song lyrics, Facebook, Twitter, and much more. So avoid passwords based on nicknames, birthdays, quotations, pets, anything of that sort. And don't forget that easy passwords don't get harder if all you do is add some digits on the end. Password cracking programmes can do that, as well.
Point two. Go as long and complex as you can. Random, eight-letter passwords look pretty tough, with 26 to the power 8 possibilities. That's a whopping 200 hundred billion. But a password cracking service costing less than $20,000, under ideal circumstances, can try out more than 100 hundred billion passwords each second. So mix together uppercase, lowercase, digits, and punctuation.
And aim for 14 characters or even longer. That may look terribly complicated, but you can make up a little saying to help you out. If you don't like that approach, some people take several unusual words and combine them into a meaningless phrase, like the XKCD cartoon's famous correct horse battery staple password. But watch out for words that relate obviously to you. They do need to be unusual.
And Point three. Consider using a password manager. Examples include LastPass, KeePass, and 1Password. Password managers can make up complex, random nonsense for each account, plus they remember which password goes with what website. That also helps protect you from phishing, because you can't put the right password into the wrong page. But do remember, you will need a really good password for the Password Manager itself.
So let's go over the points again. One, make your passwords hard to guess. Two, go as long and complex as you can. Three, consider using a password manager.
And no, we haven't forgotten. Number four. One account, one password. Don't reuse passwords.
Don't make things easy for the crooks. And until next time, stay secure.
End transcript
 
Interactive feature not available in single page view (see it in standard view).

Using your pet’s name, your street’s name or a random word can be easy to remember, but can also be easy to guess.

Even if the website uses hash functions, if the passwords are single dictionary words, the attacker can generate lots of possible passwords, hash them and see whether any of them match a stored one. Attackers always start with dictionary words and variations thereof, as most passwords are normal words.

So your accounts will be more secure using long passwords made up of a collection of numbers, letters and symbols that don’t resemble a dictionary word. One way of coming up with such passwords is first to choose a memorable phrase and convert it in the way described in the video above.

Strong passwords – long strings of characters that don’t appear in any dictionary, or at least five separate non-related words that are not easily guessable – are vital. The other thing to remember is to use a different password for every account.

The majority of cases in which someone’s password has been compromised have occurred when an attacker has cracked someone’s password on a low-value, low-security site, and that user used the same password for another, higher-value site. The attacker either knows or guesses the target’s username on the higher-value site and then tries the cracked password on it.

For more advice about how to choose strong passwords read the Good password checklist. It might be useful to print off and keep this.

Good password checklist

  • Don’t use simple, short, easy to guess passwords such as names of friends, family and pets. Don’t use words from the dictionary or commonly used passwords such as 12345 or QWERTY.
  • Don’t use substitute characters such as pa22w0rd
  • Don’t use the same password on more than one website
  • Do use long passwords that are a random mix of upper case, lower case, numbers and other characters, such as giYT%$54vcD3W
  • For memorable passwords do use a string of at least five unrelated disctionary words such as bamboo glasses book engine red
  • Don’t share passwords with other people. If they need access to data they should be given their own login.
  • Don’t leave passwords lying around in notebooks, or on sticky notes close to your computer, or in files on your computer where they can easily be read.
  • Before you enter a password into a website, make sure it is using a secure connection beginning with https:// (it might also show a small padlock close to the address) this means the site is using a secure link that cannot be intercepted by attackers.
  • When you register with some online services they will send you a password so that you can log in. Many sites force you to change the password when you first log in, if they don’t, change it when you first visit the site.
  • Change the default password on devices such as your internet router. This is programmed at the factory and some companies have a single password for all their devices. An attacker only needs to know the make of your router to gain access.
  • If you have trouble remembering passwords try a password manager program that not only stores passwords, but can generate new, highly complex passwords for you.
  • Two-factor authentication gives you additional protection as it requires two pieces of information (such as a password and a random number sent by SMS) to provide access to your data. If a company offers two-factor authentication, you should use it.

In the next section you’ll get to test the strength of your passwords.

CYBER_B2

Take your learning further371

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses372.

If you are new to university level study, we offer two introductory routes to our qualifications. Find out Where to take your learning next?373 You could either choose to start with an Access courses374or an open box module, which allows you to count your previous learning towards an Open University qualification.

Not ready for University study then browse over 1000 free courses on OpenLearn375 and sign up to our newsletter376 to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371