You are probably bored of being told “your password is due to expire in 5 days” and you may be filled with dread at the thought of trying to think of a new password that’s memorable yet unpredictable. Even though this is in back of your mind it doesn’t stop you using your ‘old faithful’ password and adding an exclamation mark for good measure.
Let’s take a second to think about your password; let me guess it’s the same for almost every account you have, whether its work, online shopping, social media or even your online banking. You may make small changes but if we’re honest, on the whole our passwords don’t vary much.
Not to fear, you’re not alone, in 2010, researchers from the University of North Carolina studied 10,000 expired user accounts and traced their password history. The account holders were required to change password every 90 days which is generous in comparison to Microsoft’s default 42-day password expiry policy. In most cases, users made minimal and predictable changes to their passwords, a user might capitalise one letter, advancing to the next letter with each change, for example, “Lightbulb99!”,” lIghtbulb99!” and “liGhtbulb99!”. Another common pattern was to increase the numerical value, such as “Apple1!” “Apple2!” and “Apple3!”. Once the researchers understood these patterns they developed algorithms that could crack accounts before being locked out 17% of the time.
The National Cyber Security Centre have recently updated their advice regarding password policies and we share their sentiments. Create a password with a minimum of two random words and as many special characters / numbers as you can stomach! Make it a good one as I’m proposing that you only change your password once or twice a year as studies have shown the more you change your password the more predictable they become. Finally, never tell anyone your password; use a password management tool to change your password and if you need to unlock it then you should use security questions and although your mother’s maiden name may be easy to remember, try and choose an obscure security question.
In other words, hackers try to take advantage of password fatigue and therefore even though it is tedious, it is worth spending the time creating a non-obvious password.