At last, some practical advice about online passwords
We've all been there... typing in 5, 6, 7 or 8 different passwords, each more complex than the last, in order to satisfy the sites rules for password security.
What a pain. And it turns out, as I've been saying for years, that it's all for nothing.
I first stumbled across this when I signed up to comment on a blog a few years back... I wondered why I had to build an extremely complex password, when there were no credit card details exchanged and no real security concerns when commenting on a blog.
It really become an issue when Apple's iCloud got hacked. They began forcing users to make their passwords more complex, despite password complexity being ABSOLUTELY NOTHING to do with the hack. The hackers used phishing scams, i.e. they phoned customer service pretending to be users to get passwords reset. They also broke passwords by answering security questions.
So really it wouldn't have mattered how complex the passwords were... they still would have hacked iCloud. So why are we being forced to make our passwords more complex?
Let me be clear, as a programmer of many years experience and a user of the web for many years also... Password complexity has no baring on security.
"thisismycoolpassword" is much more secure than "hRtg$i!£ja"...
First look at this:
If that's too nerdy for you, let me explain.
A password has to do two things. One, it has to be something that other people won't know, and two, it has to be something you do know.
I bet, without scrolling or looking up, you can remember "thisismycoolpassword"... but you can't remember "hRtg$i!£ja"... (oh, and which one would you prefer to enter on your mobile...?)
And that's the point... in a brute force attack the longer your password the harder it is for a computer to guess. A computer doesn't care if your password has a funny symbol or a few upper-case letters... it'll just keep guessing until it gets you. As the comic linked above shows... a short password can take an average computer a few days to crack, but a longer password could take 550 years.
I remember the advice used to be that you should never write your password down. Again, why? Don't you trust the people that live in your house? If you write down your password and put it in a drawer, a hacker would have to get in a plane, fly to your city, break into your house, rummage through your stuff, find the sheet, fly home and steal your data.
Ok so where is this new advice? Well GCHQ have issued some up-to-date advice about passwords and at last it seems sensible. Read it here:
At last some clear thinking on password security.
My advice? Pick a long password (16 - 20 characters long) and use 2 factor authentication.
Our CMS of choice, Joomla, comes bundled with Google Authenticator support. This means users put in their password then enter a time-limited short pass-code that Google sends instantly to your smartphone. This currently is the best security the web can offer and it is a breeze to offer to your clients and customers.
If you get a website developed by Elm House Creative, you can offer your users the very latest security features on your website.