Passwords

Synopsis

Passwords are often the only means of defence for preventing unauthorised access to highly sensitive information. Within the school environment there is often a significant amount of sensitive information available through computer systems which needs to be protected using a password. It is therefore essential that password security is taken very seriously and to this end, Password Management is the responsibility of everyone who logs in to any of the School's information systems. This article gives strategies on how to choose good passwords and things to avoid doing.

The key point is to use words and phrases that are easy for you to remember, but difficult for others to guess.

Resolution

Creating strong and memorable passwords

Cyber criminals are very smart and know many of the simple substitutions we use such as ‘Pa55word!” which utilises symbols to replace letters, or tendencies to simplify by using seasons “Winter21!” or football teams “Arsenal21!”

Remember that longer passwords are also more secure, whilst this might seem like it will be hard to remember, it doesn't need to be.

A good way to create a strong and memorable password is to use three random separate words, that are not connected to each other (i.e. not 2 fruits like apple and orange), like the examples below - and it might help to think of them visually like the image below.

Applenemobiro1! Redhousemonkeys27! 3Elephantcabbagehotel! $Rooforchidturbine88

Numbers, capitals and symbols may still need to be used to meet a systems complexity requirement, but this can easily placed at the start or end, however do not use capitals on each word like this AppleNemoBiro1!, as this may help pattern attacks identify and break your password.

If you use social media accounts be aware that these can give away vital clues about yourself, so don’t use words such as your child’s name or favourite sports team which are easy for people to guess. Never use the following personal details for your password:

• Current partner’s name
• Child’s name
• Other family members’ name
• Pet’s name
• Place of birth
• Favourite holiday
• Something related to your favourite sports team

Remember - ensure you never use your council password with any other online services. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well.

At home in our personal lives, make sure the password for your primary email address is unique and very strong, and where possible use Multi-Factor Authentication (MFA or 2FA or 2SV). As many of your other online accounts likely allow you to do password resets by emailing your primary email address, this means protecting it is very important.

Password strategies to avoid

Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

• Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.
• Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
• Avoid your login name. Any part of your name, birthday, National Insurance number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
• Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.
• Avoid using online storage to keep your password. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.
• Do not keep a password written down with the computer, never put a note on your computer screen or a label inside a laptop.
• Do not reveal them to others. Keep your passwords hidden from friends or family members (especially children) who could pass them on to other less trustworthy individuals. You should never need to give your password to any member of staff including a manager.
• Never provide your password in an e-mail or in response to an e-mail request. Any e-mail requesting your password or request that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual. E-mail can be intercepted in transit, and e-mail that requests information might not be from the sender it claims to be. Internet "phishing" scams use fraudulent e-mail messages to entice you to reveal your user names and passwords, steal your identity, and more.