How Secure Is Your Password? - May/June 2023 Edition

A typical parish or town councillor might have two or three passwords associated with their role as a councillor.  One for the council’s email system, one for the web site, and perhaps one for the bank.  A typical clerk may have a dozen or more passwords for all the different accounts and systems.

A password should be secure, that’s the whole point of it, but the challenge of remembering passwords and login details encourages people to adopt passwords that are virtually pointless.  Thankfully, parish councils are not a very high target for scammers and fraudsters, but clerks and councillors can and do suffer cyber-attacks.

If your password is “password” then you may as well not bother.  It can be cracked instantly.  If you are very careful and clever and have added a number to it, such as “password1” then don’t bother either because that can be cracked in a matter of minutes too.  In fact, you would have to add at least four numbers (e.g., password3679) for it to be remotely secure.  And that’s remotely secure by today’s standards, next year a password like that will be cracked in minutes too.

Cybersecurity experts Hive Systems carry out tests each year to analyse the strength of passwords and the results are presented in a table (right).

The data assumes random characters are used.  So, the moment you use birthdays, or your pet’s name, the time comes down even further.

The good news is that a password can be secure.  For example, a password such as “DZxhYg&fty!90024r” would take 380 billion years to crack, according to Hive Systems.  That should suffice but remember that if your password is exposed or disclosed in a phishing attack it doesn’t matter how complex it is.

Of course, even the sharpest clerk or councillor might struggle to remember a password like “DZxhYg&fty!90024r” every time they log in somewhere, so that’s where password managers come in.  Browsers include password management and should suffice for non-mission critical users, but for clerks particularly a standalone password manager such as NordPass (https://nordpass.com) or RoboForm (https://www.roboform.com) come with lots of useful features, such as strong encryption, two-factor authentication, and auto form filling.

One of the very useful features of a password manager is secure sharing, so that the clerk can share all passwords with one or more councillors.  This is a critical element of a council’s business resilience plan… it is not advisable for the clerk to be the only one with the login details for the council’s accounts.

Even the policy governing sharing of passwords needs to be carefully thought through.  The clerk might want the chair to have the passwords just in case the proverbial bus comes along, but probably doesn’t want the chair logging in to accounts, particularly if they are using the clerk’s login credentials to do so.  With a password manager such as RoboForm a clerk can create Emergency Access by identifying one or more emergency contacts.  The emergency contact can at any time request access to the clerk’s RoboForm account and if the clerk does not decline or respond before the timeout period lapses (because they are incapacitated), the emergency contact will receive access to their RoboForm data.  The emergency contact can be revoked at any time (e.g., when the chair changes) and the timeout period is chosen in settings.  Note that this is a premium feature, but password managers are relatively inexpensive, so even the premium versions are affordable for most councils.

There’s no point panicking about it, but it is important to take simple and proportionate steps to reduce the likelihood of it happening to you.  And don’t put off taking action because there is no point locking the stable door after the horse has bolted!  Whenever one hears about someone being hacked or suffering a cyber-attack it sends chills down the back.  There but for the Grace of God – and good password management - go us all.