Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Password Best Practise for 2024

 

Despite frequent rumours of their imminent demise, passwords are still one of the major pillars of security and are relied upon across the world to keep our data safe. But they also represent the weak link in our protection, and cybercriminals spend many hours trying to guess what combination of letters, numbers and special characters we have chosen to guard our most precious digital assets.

So how should we choose and protect our passwords to give the bad guys as hard a time as possible in their efforts to discover them? Read more for our password best practise tips for 2024.

image of 5 tips for password best practise infographic

Download a free infographic of the 5 steps for password best practise

Password Best Practise

There are quite a number of organisations that publish best practise advice on passwords, and they don’t always agree. But there are a number of common factors which are universally held to be Good Ideas when creating a password, so let’s look at these first.

1. Password length

If there’s one thing that makes a password much harder to guess, it’s if it’s a long one. We’re talking twelve characters upwards here, and the longer the better; twenty or thirty would be preferable. “What?!” I hear you cry, “How am I going to remember such a long password?”. You don’t need to, because you’ll be using a password manager, and we’ll come on to those shortly.

2. Password content

The second main factor is what your password consists of. This will depend to some extent on the system or website you’re choosing a password for, but the usual suspects are upper and lower case letters, numbers and special characters. Obviously, you shouldn’t choose a password that is easily guessed, and this includes “Password1”, “Pa$$W0rd” and the name of your dog. The best password is a random combination of letters, numbers and special characters that means absolutely nothing to anybody and is securely stored in your password manager (still coming to those shortly).

But what if you aren’t or can’t use a password manager, and you need to be able to remember the password? In this case, there are two main schools of thought. The first is to use three random words which are unrelated to each other, but which you can remember through a bit of effort in associating them in your brain, for example “ScallopRocketUnderwear” or “CheeseFurniturePiano” (I’m not sure what the Freudian implications of this method are – Ed). The second is to use a passphrase where you take the first letter of each word, for example “I really like going to the moon and back because I’m a big rocket fan” becomes “IrlgttmabbIabrf”. After a bit of practice, these should become embedded in your consciousness and be easily retrievable, albeit for a limited number of passwords. And don’t worry about changing your password regularly – best practise says that this should only be done if you know or suspect your password has been compromised.

3. Password reuse

Great, so you’ve come up with a clever password that will never be guessed. Makes sense to use it on every system and website you come across, right? No, no, a thousand times no. The trouble is, systems get hacked and passwords stolen, so if the bad people know your password to one site, what do you think happens next? That’s right, they try it on lots of other sites, hoping that you’ve fallen into the password reuse trap. Then they give it (or more likely sell it) to their friends who try a whole bunch of other websites, and so on. I know people this has happened to and watching the panicked frenzy of them trying to log in to the sites the password is used on before the hackers get there is not a pretty sight. That’s if they can even remember which sites might be at risk. Use a completely different password for every website or system (and a password manager – coming soon I promise).

4. Multifactor

The last big hitter that everyone agrees on is the use of multifactor authentication. This is where you receive a text with a code to enter onto the screen when you log on. Or preferably (because phone numbers can be hacked too), you use an app on your phone to retrieve the number or respond to a message in an app to confirm it’s you. Fortunately, this is now very common and where it’s available you should definitely be using it.

5. Password Managers

At last we can talk about password managers (thanks for your patience). These are apps that store your login details (username, password, logon URL and anything else you need) in an encrypted vault that you can access from multiple devices. They can fill in your username and password automatically in most cases because they recognise the site you’re on, and this alone can be a major time saver. Because your details are stored, you don’t need to remember any passwords and so you can make them as long and nonsensical as you wish and use a completely different one for each website. Many password managers will suggest a password for you, so you don’t even have to think about it.

Additional functionality varies according to the password manager you choose, but many will give you advice about your existing passwords they consider to be weak, allow you to organise your logons in folders, and set restrictions on how the app can be accessed (for example from which countries and browsers).

So far so good. But there are maybe two areas that are the Achilles Heel of password managers; the first is the fact that you still need a master password to access the password manager itself – better make this a really good, long one, memorise it well and use the best multifactor option available (a secure key, such as Yubikey, is ideal). The second issue is that you have stored all of your credentials in the cloud and what if the password manager itself gets hacked? Unfortunately, this has happened in the past, and the jury is still out (not literally – no-one ever gets caught) on whether customers’ passwords have been obtained. The key here is to make your master password the best password you have ever created in your life, as this is usually what’s used to encrypt your data, and strong encryption is your best friend.

Closing Thoughts

The benefits of password managers really do outweigh the potential pitfalls, and they are your only chance of using different strong passwords on every system and website. One other interesting development is the use of single sign on (SSO) where one system or website trusts the fact that you have already logged on to another (for example Google, Microsoft or Apple) and this may reduce the sheer number of passwords you need in the longer term. But for now, passwords are everywhere and if we don’t manage them carefully, the danger is that someone else will.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

This blog was published in October 2023 and updated in October 2024. 


More Cyber Security Resources

If Cyber Security Awareness Month has inspired you to take action, we have some useful resources to help.

  • Cyber Security Blogs – We have a host of useful content relating to all things Cyber Security.
  • Cyber Awareness Training Platform – All-in-one platform solution for automating cyber training.
  • Cyber Essentials Toolkit – Align to the UK scheme with help from our document toolkit, including all the templates and guides required to comply.
  • ISO27001 Toolkit – Align to the ISO27001 standard for an Information Security Management System with help from our toolkit. Including 180+ documents, guides and templates, and unlimited email support.

We’ve helped more than 7000 businesses with their compliance

Testimonials

The structure is excellent, clear, precise and easy to digest. The content is professional and the guidance is extremely helpful. I cannot fault it!

HSDC
UK

View all Testimonials