Image from Pixabay |
It's National Check Your Passwords Day today (in the
Netherlands). This is an initiative of tech website Tweakers and the Public
Prosecution Service, and the intranet editors asked me to dedicate an extra
blog to this day. I am always open to special requests, which I then give
substance to in my own way.
First let’s take a look at the website of initiative. It
states the following: As an internet user
you are confronted with many websites that require you to create a user account
and choose a password. Many people find it difficult to come up with and
remember all those different passwords. Unfortunately, this means that many
Dutch people do not handle their passwords securely, for example by choosing
passwords that are easy to guess, or by reusing passwords. Through the National
Check your Passwords Day, we want to make people aware of this and explain that
coming up with and remembering good passwords does not have to be difficult.
The password tips page, to my surprise, only contains
four tips. Let's take a look at those tips. Number 1: Use a password of at
least eight characters. Well, eight characters is an echo from the past, I’m
afraid. Today, twelve is considered a safe minimum. Maybe they are afraid that passwords
that long would be too difficult to remember? There’s an app for that; see
below.
Tip #2: Never set a single word as your password. Agreed,
because then your password would be in the dictionary and hackers are very good
at automatically checking captured password files against a dictionary. So a
password like bungalow doesn’t stand
a chance. It’s just as bad as bung@l0w,
by the way, because that trick is also in the hacker dictionaries.
The third tip is: use at least one word and a number
combination that only you know. So something like bungalow2022? This will
at least make the password longer, and length is really the most important
factor. Unfortunately, the recommended number combination tends to be a year,
birthday or the pin code of your bank card, which does not really make the
password stronger and may even introduce a risk (yes, I mean that pin code).
But luckily they state in tip #4: don't use dates of
birth, addresses or anything else that is easy to guess. I totally agree with
that. This tip is mainly intended to avert targeted attacks. If an attacker has
his eye on you instead of just anyone, he will use everything he can find about
you for his attack. All personal information, even if it is far fetched, is
therefore taboo for use as (part of) a password.
After the numbered tips on the website, there are still a
few extra tips. Like you shouldn't write your password on a post-it note. And
about security questions - there still exist sites that require you to provide
your first pet/school teacher/ sweetheart's name, or similar questions - they
tell you not to choose questions that others know the answer to. Let me express
this a little stronger: Lie! What is your place of birth? Banana. What was your
first school teacher's name? Government. Of course you have to save those lies
somewhere, otherwise they are of no use.
And that brings me to the promised solution to remember
all those secrets: the password manager - an app that remembers your passwords
and other secret information for you, while you only have to remember the
password of that app. According to research commissioned by Tweakers, only 7%
of the Dutch use such an app. That’s a very low percentage. So here's a call to
the other 93%: download a password manager now and start using it. See which
one suits you best; the website lists only three, but there are many more
(pssst: my favorite is Bitwarden). And an extra tip: password managers are also
great at coming up with strong passwords.
This is a Security
(b)log special. That's why there is no news from the big bad world this week.