Basic Password Security

This one seems like a bit of a no-brainer, but recently a friend of mine, who is really quite high-up in the digital marketing department of a major brand, had his personal Twitter account hacked because his login was ‘password123′.

This should not be a post I have to write. Still, here we are. 

So, here’s a quick rundown on how to create a secure password: The main insight to start from is that hackers and other such unsavoury types use programmes to guess your password; These use what is essentially a dictionary list of words, names, numbers, etc. in an attempt to find the correct one for your account. The best way to thwart them is to use a combination that won’t occur naturally and so is unlikely to be tried by their bots:

  • DON’T use a single word that already exists (your name, your pet’s name, ‘password’, ‘letmein’, anything from your brand / the dictionary / Harry Potter / Twilight)
  • DON’T just add a number onto the end of a word (‘password123′ being a prime example)
  • DON’T replace obvious letters with numbers (pa55w0rd, for example: Machines work with patterns – if you can see that s=5, o=0, A=4, etc. so can the people who program the hackbots)
  • DON’T use your date of birth, address, phone number or other easily-found information about yourself, your company or your brand
  • DON’T write it down and stick it to your monitor, or anything equally obvious (and make sure to stop anyone else who knows it from doing this)
  • DON’T use the same password for multiple accounts – each must be unique, and not just ‘password1′, ‘password2′, etc. either. Get inventive.
  • DON’T share it more widely than is absolutely necessary – only to those who need access for mission-critical work (posting, responding, data-gathering).
  • DON’T circulate it openly – NEVER in an email with ‘New password for @YourBrand’ in it, and certainly not as a subject: Set a codeword that you and your colleagues will know to mean password, for example ‘New Lamppost notice’ or ‘an update from the Australian office’ etc.
  • DON’T have the password in plain text or otherwise easily copied & pasted – if you must circulate it, do so as an image attached to an email, again not mentioning the word ‘password’ or ‘login’ in the text of the email at all if you can help it

(These last two are to help minimise the risk of a naughty person gaining access to your email account, running a search for ‘password’ and suddenly having the keys to every aspect of your brand’s online identity)

  • DO mix capitals and lowercase, but in sTUpiD pLACes
  • DO spell things wrong (just remember when you do)
  • DO use special characters: @ _ – # ~ ; : etc
  • DO add spaces (but not in the correct places, li ket hisf orexa mple) – some logins won’t allow this, but lots will
  • DO use a combination of all of the above tips in the same password
  • DO use these guidelines for all of your passwords, not just brand accounts. No point coming up with a great, complex password for a brand login if the computer it’s stored on is locked with ‘12345‘ or something
  • DO make sure you can remember the damn thing. There’s no point having a string of letters and symbols that’s unguessable if you forget it before it can be useful
  • DO change it every time someone who has access to it leaves the project / team / company (see also this post on What to do when your security is compromised)

I know what a ball-ache this seems, especially when even this level of precaution won’t totally guarantee safety, but it’s worth it if it discourages the baddies long enough to make them give up.

And, if you ever have to explain to your client why their brand is currently spouting all sorts of potentially damaging content, you can show that you did everything in your power to stop it happening. And that's worth something.

(First posted January 3rd, 2014)