Passwords
The rest of this 'course', covering advice specific to Windows 10, Windows 11 and MacOS, is available to customers with the Cyber Essentials Gap Analysis & Remediation Advice package.
General Passwords
Windows 11 Malware Protection & Firewall Software Accounts
Advice and guidance about passwords has changed significantly in the past 10 years, so much of what you may know about good password practices could now be out of date.
The key piece of current password advice is that you should use long passwords that do not contain anything personal to you (e.g. a pet's name) and are not obvious (e.g. Password1! or qwertyuiop)
Cyber Essentials requires that passwords have a minimum length:
- 12 characters in most circumstances.
- 8 characters if it is used in conjunction with Multi-Factor Authentication (See below).
- 6 characters if it is used to unlock a device but your organisation's data will not be accessible until a longer password is entered.
Use a long password that is unique to each service so if one password becomes known to hackers, they will not be able to re-use it to access other systems. Whilst it is no longer considered strictly necessary by the National Cyber Security Centre, you can include numbers or special characters to make the password stronger. It's also no longer considered good practice to regularly change your passwords as people have a tendency to simply increment a number, which makes it trivial for an attacker to guess the next password.
3 Random Words
One tactic to create passwords that are sufficiently long is to use three random words. Avoid words that are easily guessed or gleaned from your social media. Try to make the words as unrelated as possible, for example, 'trianglelizardBlue'. You can add numbers and symbols to make the password even stronger.
Taking into account this advice, you should consider updating your passwords now to ensure they comply with Cyber Essentials requirements. You may also like to change passwords on your personal accounts to meet current password best practice.
Password Manager
You may like to use a password manager to keep track of your passwords. Google Chrome includes a password manager which syncs to Android devices. iPhones similarly have a password manager and this syncs with Safari on MacOS. Many other browsers, including Firefox and Microsoft Edge, also have built-in a password managers. These tools generally have the ability to create complex passwords. Should you need to generate one without using a password manager we would recommend this online password generator utility.
Multi-Factor Authentication
You might have used multi-factor authentication (or MFA) when accessing some online accounts. They usually send you a code via text message (SMS) or email that you then enter as an additional 'password'. This comes from the concept that they want something you know (your actual password) and something you have (access to your phone or email). MFA is sometimes called two factor authentication (2FA) or 2-step verification (2SV) as two factors or steps are most commonly used.
Whilst this process may seem annoying at times, many organisations try to reduce the frustration by using risk-based MFA. If they don't recognise the device you're using to login or you're logging in from a strange location or at an unusual time, it will ask you to use an additional authentication factor. The alternative is that should someone have your password, they could log in from the other side of the world in the middle of the night while you're asleep! If the system recognises your device and you've logged in from it recently, it might not even ask for an additional factor. Some organisations, like financial institutions, have decided a higher level of security is needed for their accounts and require MFA whenever someone logs in.
There are multiple types of MFA:-
- A time-limited code sent to you via:
- SMS text message
- Telephone call to a mobile phone or landline
- A time-limited code accessible on:
- An authentication application (e.g. Authy, Google Authenticator, Microsoft Authenticator) sometimes called time-based one time password (TOTP).
- A hardware key (e.g. RSA SecurID, Barclays PINsentry, HSBC Secure Key)
- Push notification to an authenticated app (e.g. Banking Apps, Microsoft Outlook Mobile App)
- Hardware security keys (e.g. Yubi Key, Smart Cards)
Although not a requirement of Cyber Essentials, it is recommended that you activate MFA on your accounts where possible. Your organisation should provide advice on how to set this up on accounts you use. The following links will show you how to set up MFA on various personal accounts you may have:
You have now completed this section on passwords
Go back to the menu to choose the next topic
Commenting is not enabled on this course.