Passwords and Security
This page is to help you understand password strength and ways to choose a strong password.
Here at The Bead Fairy we take steps to keep your account safe.
- We have detection in place that blocks repeated logon attempts and other website attacks
- We allow the use of 2 Factor Authentication (and enforce this on admin accounts)
- We never store payment card information
- We use SSL encryption to help protect data from you to the website
- We encrypt all data backups
- We routinely check and update security for the site and third party utilities used.
However your password is still a gateway to your account.
Using secure passwords is your way to minimise the chances of a guessed password. Attackers typically use 3 main techniques for getting user passwords:
- Phishing – this is where you are fooled into entering your logon details to a fake site – usually via a link in an email
- Password Guessing – this is where a list of commonly used passwords is stored (often captured by Phishing attacks) and the variations are tried
- Brute Force – where the attacker will simply keep trying combinations to find one that works.
Protecting your accounts
Ideally DO NOT use the same password for multiple sites – this makes it far easier to find a weak service and then your password is known for other sites.
If you must re-use passwords, NEVER use the same password for shopping sites as you do for secure sites, like online banking, and again, any site that stores your credit card details should be different from other sites that do not.
NEVER enter your password into a website from a link you received unless you were explicitly requesting that link – the odds are that link was fake and now someone has your password
USE Two-factor authentication (also known as 2FA or MFA) where offered. This is essentially something you know – i.e. your password – and something you have, like your mobile phone. You would enter your normal password and then be asked for a code that is unique to that logon attempt, usually in the form of a code sent to your phone by SMS, or generated by a program on the phone. This way, if your password is gained by a malicious person, they would still need to get your code to logon.
Popular password Managers and 2FA systems
Ideally you should use a different password for every site, so we recommend using a password manager to keep track of them all. You remember one complex password and it stores the passwords for all the other sites. Obviously you should make the master password very secure, and ideally activate 2 Factor Authentication, so your password and another form of identification is needed.
Popular password managers and 2FA managers:
- LastPass – Secure password manager
- Dashlane – Secure password manager
- Keeper – Secure password manager
- 1Password – Secure password manager
- Authy – Mobile and PC passcodes
- Google Authenticator – Mobile passcodes for Android and iOS
- Yubikey – Physical key authentication (USB) – works with above password managers
How do you choose a strong password
Firstly, the longer the password, the more effort is needed to brute force the password (i.e. try every possible combination)
Using a mix of upper case, lower case, numbers and symbols also extends the number of variables and will dramatically increase the effort
However, using a simple word and replacing the letters with numbers won’t have that much impact as a lot of these variations will be in a database of common passwords to test.
Changing the word ‘password’ to ‘P@S$w0rD’ for example will probably slow an attacker down a few seconds.
One way is to take a sentence that you will easily remember and use the first letters of each word to make up a password:
My niece was born on the first of July at five thirty three in the afternoon!
Multiple Random Words
Another is to pick four words that have no relevance and make up an amusing scene in your head to remember them – this was popularised in a cartoon from xkcd – unlike the cartoon though, you should still throw in some upper case letters, numbers and ideally, symbols.
Pronouncable Password Generation
You can also use a password generator to pick some relatively pronounceable passwords. The ones below come in 9 and 12 characters – these should evaluate to Okay and Strong respectively on the logon page. (Refresh the page for more). We do have a rude word filter, but sometimes something may appear – please do not be offended as these are purely random strings.
|9 Characters||12 Characters|
Password Manager Generation
Finally, if you are using a password manager, these usually have a password generator built in that can create long, complex passwords – as you do not need to remember them, you are free to use longer passwords of 12+ characters. The password manager will usually fill in the boxes in most sites for you, or you can use the copy password function if not.
Password strength test
If you want to test the strength of your password, the following utility will estimate how long it would take to break the password. Note that passwords are never stored and this works with no data being transmitted externally (turn off your internet and it will still carry on working). The registration and password change forms use the same style analysis when validating your password.