Skip to main content

Does your password get a pass? How to keep your accounts secure

There’s a ton of conflicting advice out there about passwords; how long should they be, should I set an expiry date, can I use the same password twice (you can, but you shouldn’t!). At Transcendit we’re often asked by customers how we should approach passwords and account authentication - and how to balance this with convenience. As such, here’s our position on passwords - and how to keep your account secure.

Transcendit’s view is greatly informed by NIST, the National Institute of Standards and Technology. Their Digital Identity Guidelines were published in 2017, but it’s still the most comprehensive piece we’ve found on passwords and password management. It’s a lengthy document, so we’ve summarised the key points below.

Use two factor authentication wherever possible

Two-factor authentication (2FA) or multi-factor authentication (MFA) are the terms used to describe the process of requiring two or more independent factors to gain access to an account. This is often across two different devices, such as a computer and a mobile phone. It might be that you’re used to doing this with banking, when setting up a new payee for example.

Two-factor authentication and multi-factor authentication aren’t great for convenience, but they are two of the best ways you can keep hackers, scammers and opportunistic cyber thieves from gaining access to your accounts. Even in the instance that the security of one of your devices is compromised, with 2FA or MFA it’s much harder to gain access to your accounts.

No password expiry, and no complexity requirements

One of NIST’s guidelines is to remove aspects of password management that haven’t been proven to improve security, and this includes password expiry and complex requirements for passwords. Password expiration has fallen out of favour with NIST, because if we’re requesting users to create adequate passwords, asking them to change it without an operational reason doesn’t make much sense. 

Password complexity requirements are also not the security haven we once thought they were. NIST’s guidelines recommend complex passphrases, as opposed to the presumed complexity of encouraging users to include a symbol, lower case letter, upper case letter, and your grandparent’s blood type. The result tends to be predictable passwords, with letters swapped out for symbols. As such, passphrases are in, complexity requirements are out. 

Encourage unique passwords, discourage dictionary words

Unsurprisingly, the position hasn’t changed on unique passwords - we should all be using them. By this we mean, if your password appears on a list of common passwords, you should not be using it to secure any of your accounts. It also means we shouldn’t be duplicating passwords; if we use the same password for multiple accounts, a single password can get a person access to even more data and information. 

We discourage individuals using dictionary words because it’s incredibly easy to run a dictionary attack, where individuals try every single word in the dictionary and gain access to an account. If your password appears in the dictionary, it’s definitely due an update.

No password hints or recovery questions

As users, we love a password hint when we can’t remember the details for the account we’re trying to access. Unfortunately, so do hackers. Even if you don’t opt to just write your password in the password hints box (and we really hope you don’t), anyone trying to get into your account has access to that clue. If your hint is ‘six digits’, you’ve given away a huge piece of information. 

Recovery questions are similarly inadequate. It’s all very well for businesses to ask what your favourite football team is in order to verify you, but it also takes almost no effort to type a name into any social media site and find a person’s location, and deduce their favourite team from that. If a site is requesting a recovery question, we’d always encourage you to opt for two-factor authentication where possible.

Finally, check haveIbeenpwned.com

Have I been pwned is a great little site which allows you to check whether your passwords have been exposed in any data breaches. Just pop your password in to see if it’s associated with a data breach. And if it is, it’s time to change it.

Tweet us @TranscenditUK


The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
Very friendly and helpful. Doesn't presume that you know much but at the same time doesn't speak to you as if you know nothing. Very pleased with my contact. Christine Gibbs, KSA Group Ltd

Based on 12075 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 09-October-2024

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.

Transcendit is a Living Wage employer
Transcendit is a Microsoft Gold certified partner
VMWARE partner
Vipre partner
IPCortex partner
WithSecure partner
DELL partner
Barracuda partner
Veeam partner
N-Able partner