New Year, New Password

When was the last time you changed the password on your personal email account? At work, we all get prompted to reset our password once a year. But, many of us will cling to the same password for our personal email account for many years.

The start of a new year can be a good prompt to update your email password and review your other security settings.

Your email account is particularly attractive to fraudsters. If they manage to take it over, they can go around common retailers and services where your details may be stored - such as Amazon, PayPal, Facebook, Instagram, and eBay. They can enter your email address and request a password reset for these other accounts.

Most password resets involve an email being sent containing a password reset link. This gives fraudsters the ability to reset your passwords and effectively lock you out of important accounts. These accounts may contain your payment details, home address, and other sensitive information to make it easy to quickly order items/send money.

On top of that, the fraudster could use your personal email account to target your friends and family with phishing emails designed to look like they have come from you.

The National Cyber Security Centre advise that if you have used your email password anywhere else, you should update it as soon as possible. You should use a strong password which is different to all of your other accounts.

Ideally, all of your accounts should have their own unique passwords. Where it is available, you should also make sure to activate multi-factor authentication. This allows you to add an extra step into your log in process – such as entering a onetime code which is sent to you via text, using a biometric scanner, or authorising the log in attempt on an authenticator app.

Although it may seem like a faff having an additional step to take, having multi-factor authentication active can offer good protection to your account. Even if a fraudster manages to guess or steal your password, they won’t be able to get in without providing the second piece of evidence that they are you!

Setting a good password

When picking a password, you should aim for something that someone who knows you wouldn’t be able to guess within 20 attempts. That means staying away from the names of loved ones, pets, favourite sports teams, musicians, dates of birth, holiday destinations, and common passwords such as qwerty, password, and 123456 (for more on the most popular passwords, read this BBC article).

People seem to quite like adding numbers into our passwords instead of letters (e.g. P455W0RD) – but cyber criminals are very aware of this tactic too.

Advice from the National Cyber Security Centre (NCSC) is to use three random words. The traditional advice is to make passwords as complex as possible, but that also makes them much harder for us to remember and we then tend to stick to one password once we’ve learnt it. The NCSC logic is that by putting three unconnected words together, we make passwords that are much harder to guess but pretty easy for us to remember.

If you want to read more about why the NCSC recommend the use of three random words, and their other advice around password management, please see this blog post on their website. The article also explains why the NCSC don’t mind you writing your passwords down, as long as you store them safely.

If you can create a mental image around your three random words, this can help you to remember it more easily.

Example 1 – a traditional “complex” password featuring capital letters, numbers and symbols: Um8r311@ - this password would be cracked by a computer in roughly 8 hours*

Example 2 – three random words: caravanteapotmouse – this password would be cracked by a computer in around 23 million years*

*Figures calculated by the password checker at www.security.org/how-secure-is-my-password/

More useful articles are available in the recent edition of our Counter Fraud Newsletter which can be found on our Publications page