Isn’t it amazing how time flies? Sometimes you blink and a whole month has passed by in a blur of activity. A little reminder of this chunk of time passing is the password changer prompt on software or your DfE secure access login. In frustration the password is changed, then changed again as you are reminded that you cannot use one of your previous 20. We all know that many of our staff still have the same password they were given to use to login for their laptop or email. So give them a reminder to reset default passwords and ask them to stop using Password1, Password123 or their username also acting as their password.
Treat your passwords like your toothbrush – don’t share with anybody and get a new one regularly. – Clifford Stoll
However, for some the very act of having to regularly change their password means they keep a simple one and change one aspect of it, making it easier for any hacker to have a good and more worryingly quick attempt at guessing it. How can you help your staff have a better stronger passwords? Suggest they:
- use three random words – breadshedloop – have a look at the #3RandomWords
- create a passphrase – use the 1st letter of every word in the sentence for example:
“My favourite colour is blue because it reminds me of beautiful blue skies on holiday in Italy” would create this passphrase: MfcibbirmobbsohiI
Use a password strength checker like https://password.kaspersky.com/ to see for yourself how easy it is to brute force a password (this website is ok to use there is the secure s in https, but there are password strength checker websites without this secure bit – I nearly clicked on one doing the research for this blog! – don’t know what I’m on about take a look at my Billy Blue Hat, Roger Red Hat – Cyber Security 1 blog). The website password strength checked showed that Password1 takes 4 seconds, 1Password takes 2 minutes and Password123 takes 12 seconds to brute force. They suggest you do not put your actual password in as the website is just to be used for educational purposes. It might be worth sharing with your staff so they can see the importance of a strong robust password. I’ve just checked previous passwords for my DfE login, they take four months to crack, insert your own joke here! The passphrase I created MfcibbirmobbsohiI would take 10000 plus centuries to crack. Quite chuffed that the password I reset for someone recently would take four months to crack according to this site. I think I will still be laughing in four months’ time that the subtle mixture of numbers and letters I used was based on the phrase “I’m a muppet” sometimes it’s the simple things that can make you smile at work. I know of one school, whose previous Headteacher used a combination of words and letters for strong swear words in his passwords. You can imagine I’m sure a much stronger version of the phrase “I hate data”. I’m sure it caused him some mild amusement every time he downloaded the KS2 SAT results in July. Interestingly a bank I have used in the past won’t let you use the password “I hate banks” or even a mixture of number or letters of that phrase.
I’ve changed my password to “incorrect”, so whenever I get it wrong, the computer will say your password is “incorrect”
Incorrect takes 60 seconds to brute force!
We all have a vast selection of logins for different accounts and the danger is we use a similar password for each piece of software or website. Manage this by using a Password manager system which requires a 2 part authentication process to access. Don’t have them written down in the Notes app on your phone! Take a look at this blog for more information about Password Managers https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
We already know that human factors can be the weakest link in cyber security, I hope by sharing the information in this blog we can all strengthen the cyber security in our schools.
#BeTheChange
Helen Burge
Academy Business Leader
Waffles of a School Business Leader 