Build or upgrade your ISMS on our platform

Passing the buck: The great password debate

writing down passwords

For those in the infosec world, (or indeed anyone that values their own data, bank balance and privacy), password security is a black and white matter – you either practice it or risk losing some or all of the above.

At the weekend, the Conservative politician, Nadine Dorries, made several surprising statements on Twitter regarding sharing passwords with colleagues and allowing others access to her work computer. This Tweet was in response to the allegations that MP Damian Green had viewed legal pornography on his government computer, which he denies.

But among those responding to condemn Nadine Dorries, quickly there began a growing number of Tweets being published in her defence – indeed, many claiming that they too disclose passwords to their parliamentary staff to allow them to ‘do their jobs’ and that it was ‘commonplace’.


Now, while this is shocking to hear, as MPs will have access to a great deal of data on a personal, national and international level, we know that this practice of password sharing goes on in organisations of all sizes. And as many of the responding Tweets demonstrated, often the buck is passed to the IT department for not managing the issues, or not providing ‘adequate’ systems leaving staff no option but to compromise data.

Are our MPs above the data protection law?

The short answer is no. In fact, the House of Commons published a document that relates to the Data Protection Act 1998 and Personal information about constituents and others, for its members and their staff to adhere to.

Chapter 23: Information Security Responsibilities states that members and staff should ‘not share passwords’ and that their PC passwords should be ‘secure’. So this means not given to anyone else or written down by their staff because their staff have their own passwords to remember, presumably.

What is considered password best practice?

Back in 2003, security guru Bill Burr published a guide in the Wall Street Journal, with instructions that included changing your passwords every 90 days, and replacing letters with numbers and symbols. He now acknowledges that this was not the best advice and the guide did not work in practice, particularly against the ever-growing complexity of illegal hackers and viruses.

The idea that passwords should be changed frequently, can begin to take its toll on users, meaning they start to reuse their passwords and make them easier to remember (weaker) each time, eg fluffy1, fluffy2, and so on.

The National Cyber Security Centre recommends that a simplified approach to password security is the key.

NCSC Password Security infographic

Make it easy on yourself

The NCSC suggests the first place to start is to change any default passwords, such as mobile phones, routers and other connected devices. They also recommend the use of a software password manager but warn that this software can also be compromised.

Plain text passwords

Passwords should never be stored as plain text and instead should be protected using hashing.

2 Factor Authentication

2FA is an additional layer of security which prevents data being accessed by someone pretending to be you. This can be in the form of a text message being sent containing a code that needs to be entered into a computer, along with the password, before it will allow entry.

Password Do’s

  • Use three random words, adding numbers or special characters if needed, to create passwords like: ‘RedChickenTr@y21′
  • Make sure your passwords are at least eight characters long
  • Above all, actually use a password!

Password Don’ts

  • Don’t use names of family members, pets or your favourite football team
  • Steer clear of your email address or your actual name
  • If you find yourself using the word ‘password’ or ‘123456’, give yourself a slap on the wrist and choose something better

Surely in the current climate, when we’re hearing reports of large-scale data breaches almost every day, should individuals not be taking responsibility for their own information security standards?

If the events of the weekend have reminded us of anything at all, it’s that information_security”>information security needs to be lived and breathed. Infosec needs to be a culture that’s second nature and a shared responsibility. Not a hindrance to your day to day life, that should be blamed on another department if it all goes wrong.