Passwords, passwords, everywhere: our guide to password management

Cyber Resilience 22nd September 2023

Passwords are a necessary evil in a digital world and unfortunately, a weak password is a golden ticket for a cybercriminal.

Although the internet is full of advice and guidance on how to create safe and reliable passwords, contradicting statements across varying institutes, websites, and forums can make it very confusing to determine best practices. The National Cyber Security Centre (NCSC) provides advice and supports the ‘three random words’ strategy to keep hackers out while ensuring you can still remember your passwords and access your data.

As we use passwords every day to access accounts, data, systems, websites, and applications, it’s important to get to grips with how to manage passwords and what constitutes a safe choice.

In this guide, we are sharing the best practices for password management and the most commonly made mistakes to avoid.

Passwords: the fundamentals

A password is a confidential word, expression, or string of characters used to prove a person’s right to access something.

As the world has continued to move to a more digital way of working day by day, the requirements when creating new passwords have increased. What began as a simple word or phrase requirement has escalated and users are now required to include upper and lower case letters, numbers, special characters, and a certain amount of characters, at the very least.

Some systems even require users to change their passwords regularly or prevent them from using a password that has previously been used, in an attempt to mitigate the chance of a data breach.

However, this has now been discouraged and shown to be bad practice when it comes to password creation and management.

It is almost certain that you already use passwords as part of your daily routine, whether that is to log into your email account at work, check your online banking, or halt your home security system alarm. However, sometimes a single password is the only thing protecting all of your valuable data as it’s easy to fall into the trap of choosing the same combination for all of your accounts.

Unfortunately, this poses a problem as when more and more accounts are created, it becomes difficult to choose different passwords and remember which combination matches which account.

Ultimately, it is your choice as to which passwords you use and when you use them. If they are implemented correctly, passwords are a free, easy, and effective way to stop someone from accessing your personal or business information.

Common password mistakes and trends

Each year various sources including cyber and news outlets publish lists of the most common passwords and tips on how to improve on them to avoid data breaches.

The most commonly used passwords worldwide in 2023, and the frequency of use, are as follows:

  • 123456 – 4,524,867
  • Admin – 4,008,850
  • 12345678 – 1,371,152
  • 123456789 – 1,213,047
  • 1234 – 986,811
  • 12345 – 728,414
  • Password – 710,321
  • 123 – 528,086
  • Aa123456 – 319,725
  • 1234567890 – 302,709

It’s clear from these results that a large majority of the online population is falling into the same habit of copying, repeating, or using passwords that are generic, easy to remember, and therefore extremely easy to hack.

What to avoid when creating a new password

  • Password reuse: trying to remember passwords can be hard and this leads to many people using the same password on many, if not all, accounts. While this makes it easy to remember, it also makes it easier for the cybercriminal. If they crack your password for one account, they consequently have access to all of your accounts.
  • Using personal information: many passwords include pet names, children’s names, birthdays, and dates of birth. It is not difficult to guess this information or search the internet, including social media profiles, to get it.
  • Default passwords: some websites fail to change the manufacturer’s default device passwords or worse the default password is easy to guess, for example, ‘admin’ or ‘password’.
  • Letter replacements: swapping letters for special characters and numbers is still very common practice and this is one of the first things hackers will test when trying to gain access to your accounts.
  • Passwords from patterns: they can look complex at first glance, but if they are the top row of a keyboard or a sequence of any kind they become easy to predict and break.

Types of possible password breaches

There are many ways for cybercriminals to hack the security passwords you took the time to create. Here’s a list of a few commonly used techniques to look out for.

  • Dictionary attacks: these are brute force attacks where hackers use programs to scan and test the password against all words in the dictionary to guess the password. Combining different letters, numbers, and special characters makes your password more secure against these types of attacks.
  • Phishing attacks: during these attacks, cybercriminals use social engineering scams to trick you into supplying login credentials as well as other personal information. This is often conducted through fake emails, or cloned websites, so it can be useful to take part in training that will help you to identify signs of a falsified email or webpage.
  • Password spraying: for this method, the cybercriminal uses a vast list of frequently chosen passwords and tests these against your username on one account before moving on to another.
  • Credential stuffing attacks: this is when a cybercriminal uses stolen credentials to attempt to gain access to your other accounts using the same information. The known credentials will have been obtained from a previous data breach.
  • Website attacks: this is where the cybercriminal will target a website that has weak security with the aim of stealing your credentials to use for other attacks.

How secure is your password?

There are websites available where you can check your current passwords to see how secure they are or if they have been compromised online. Please take care with any site offering this service, as you will be sharing your password and do not use it if it is asking for your email address for a password to be checked.

How to ensure a secure password choice

Below we have outlined some of the best practices to keep in mind when creating a new password, or upgrading an old one.

  • Use a minimum of 12 characters (this is the Net Defence policy) longer is better but you need to balance this with remembering it.
  • Ensure the words are random and have no association with you, your family, pets, or hobbies.
  • Make sure you use different passwords for different accounts.
  • Make sure they are easy to remember but are hard to guess (three random words is a good strategy e.g. PencilSpatulaGorilla).
  • Don’t write down any passwords, try and make them easy to remember.
  • Never tell anyone your password (make sure you are the only one accessing your accounts).
  • Make sure your software and devices are kept up to date.
  • Be vigilant towards other people trying to see your passwords (e.g. over your shoulder, recording on a smartphone).

The more you use different passwords, the more likely it is only one account will be compromised in the event of a data breach.

Password storage options

Given the guidance to use different passwords for everything, the need has arisen for technology to help you remember them!

Using an encrypted password store can be an effective way to categorise and protect your passwords all in one place, however, there is the risk that if you forget your password for the store, you may lose access to all of your passwords.

There are many options available, some of which are free and some of which you will need to pay for.

The most common and recommended are:

  • Internet browser: this is a secure option as long as the browser remains updated (security updates applied), and the account has a strong password.
  • Smartphone: similar to the internet browser option, this will remain secure as long as IOS and other operating updates are applied, and the device has password functionality turned on (PIN – 6 or greater, facial recognition, fingerprint access).
  • Application: N-able’s Pass portal is a reputable and recommended application that stores your passwords. Be sure to research, taking reviews into account, and choose an option that you deem to be safe and reliable.

Where does Net Defence come in

Although we can’t assist you when choosing your password, we can provide you with the knowledge you need to make smart choices about password management and help prevent the risk of cybercriminals successfully stealing your data.

We can run training sessions within your workplace to educate your team on what to look out for when it comes to Phishing or any other form of data breach attack.

At Net Defence, we provide in-depth Cyber Resilience support including Penetration and Vulnerability testing to scan your network for potential weaknesses and help you find a solution to patch these gaps and remain secure.

For support with your cyber security strategy, visit our website, or get in touch with our team of specialists today.

Further reading:

Defence, protection, security. We've got you covered.

Whether you need to enhance your approach to cyber threats, overhaul your IT infrastructure or improve your communications, we’re here to help and advise. Talk to a specialist today and take the next step towards being a stronger, more resilient business.

Speak to a specialist

Need support? Take Control.

The button below is to be used when instructed by our technical support team. This will allow a file to be downloaded to your device for them to take control and help solve the issues you are having.

ND Take Control

exe · 7.6MB

Please note: only to be used when instructed by a member of our support team. Windows devices only.