Explaining the Advice about Passwords

There’s a lot of nonsense written about passwords. I recently encountered a post exhorting everyone to make an ‘uncrackable’ password by taking a phrase and putting random symbols before, in place of spaces, and afterwards. Uncrackable such a password might be, but unmemorable it certainly will be. Imagine having to remember a different such password for each website you use! 

So let’s go back to basics, and see what would be sensible advice. And the first step for any security issue is to ask “what is the threat?”. There’s no point in providing a wonderful defence against cybercriminals in North Korea, if the biggest problem for you would be your family reading stuff you don’t want them to!

So let’s start with some of the possible ways people might get access to your usernames and passwords.  It’s a list, of course, so let’s use a table:




How do they do it?

How likely?

Shoulder surfing

Family, colleagues, strangers in cafes

Somebody sees you typing your username and password.




You click on a convincing-looking link, software installs itself on your PC and reads the passwords you type on the keyboard.


Compromised credentials

Criminals and vandals

Some website you’ve used has all their usernames and passwords stolen

Almost certain to happen

Brute force


A hacker uses your email address and tries lots of passwords until they hit on yours.

Very unlikely – most websites prevent it.

Phishing websites


You follow a link to what looks exactly like a portal you use, but it’s actually a fake that steals your password


But why should you be worried if they do? The most common problems are ‘non-specific attacks’, where attackers target huge numbers of people, and catch you by accident. Criminals might take money from your bank account, steal your identity and use it to gain your money or other crimes, or send you doctored versions of invoices so you pay the money to them instead of the proper payee; vandals might delete your stuff or send emails from your account.  

Then there are ‘targeted attacks’ where someone is after you personally: they might gain access to your social media accounts to post in your name, access your private email to learn your secrets, or use your personal information to steal your phone number or stop services.    

So how do you keep yourself safe? A long complicated password would help only a little to prevent Shoulder surfing, and otherwise would only help with the very unlikely Brute force attack. So the NCSC, recommend simply using three random words; that's enough that they are difficult for someone to guess from watching you enter them. Changing your passwords regularly doesn’t really help much against any of the threats, and is not recommended practice any more—though a few password changes is is an excellent idea if you start a feud with a former partner!

The best way to prevent Compromised credentials is to follow the NCSC guidance, and use a password manager to enable a different password for each site. A password manager creates long random passwords, which prevents Brute force, and it will spot Phishing websites and not fill them in.

But Malware, though less likely, could get your password manager’s password, so it’s a bad idea to use the password manager for everything. Keeping your PC and phone software up to date and using a virus checker will stop most Malware. And for the sites that really matter, there is Two-factor Authentication. That sounds scary, but actually you are probably already using it. It’s a different other way of checking when you log in that you are the right person: via another device, using a text or call or app or even a dongle. Most banks use it for payments, and Google, Microsoft, Apple, and some others support it for their web services. Because it’s awkward to do, companies take care to use it only when necessary: once for each machine, or perhaps for each new bank payee.

What should you protect with two-factor authentication? We’d suggest your bank account; any accounts that are used to identify you: your email, and your mobile phone accounts. Plus any account that are particularly important to you: social media accounts, perhaps.

If you do that, use a password manager, and have a different password for your main PC and your phone, then you’ll have a manageable list of passwords to remember, and you will be reasonably safe against all of the more common threats.

Which is an outcome devoutly to be wished!



Credit: Thank you to Ingolf Becker of UCL, who provided suggestions.