Passwords are one of the most commonly discussed security issues we have. The fact that they are so easy to implement and use has meant they are so widely used as an authentication mechanism that there are few people who do not know how to use them. But knowing how to use them, and using them well, are two different matters.

One of the problems with passwords is that many people come up with weak passwords which are easily guessed by hackers, either because they use a combination that is easily cracked by a brute force method, or because they use a password which is in the most commonly used list, and which attackers will usually try to see if it works. For this reason, many passwords these days have requirements, such as needing to have a minimum length, or to have a minimum of at least one character from various character sets (upper case, lower case, number, etc). This can make the password somewhat difficult to remember.

For some people, this can lead to a situation where they choose to have a single password which they then reuse whenever they can. However, this is a dangerous thing to do. The reason is because attackers are well aware that many people reuse passwords. And when attackers gain knowledge of someones passwords, one of the first things that they are likely to try is to see if that user happens to have used that password anywhere else. The danger is that whilst the first breached account may not have contained any sensitive data, subsequent accounts that they gain entry to may well contain details such as name, address, data of birth, or bank account details. These are exactly the kind of details that attackers are looking for.

Passwords can be a pain to deal with. But there are ways to make life easier. Some people like to use password managers, software which save the login details for different accounts and do it using very complex passwords. Other alternatives are to write passwords down, which although said to be bad advice, really is not that bad if kept securely (and recommended by people like security expert Bruce Schneier and Microsoft’s Jesper Johansson). The final method is to come up with a pass phrase, which can consist either of a number of words and is much easier to remember than a mixture of letters and numbers (one very useful method is known as the Diceware method), or a a phrase which can be converted to a combination of characters (known as the Schneier method).

Big organisations are getting their servers and associated accounts and passwords hacked every day. We cannot do anything about the servers being breached, but we can make sure that even if our passwords are broken by attackers, that we protect ourselves better by making sure that those passwords cannot be reused in any other accounts that we have online. By limiting the number of common security mistakes we make, we can limit our exposure to the kinds of security breaches that we are hearing about so often in the news.