How to Set a Secure Password

Password the Basics

The National Cyber Security Centre advises:  “If attackers are able to access your systems remotely by guessing users’ passwords, then those systems are not effectively protected; don’t blame the users in this situation.”


As business owners it is important that we enforce a complex password policy throughout our organisation.

But how do we help users to choose strong passwords without creating an administrative burden resetting password?


Affirm IT Services Ltd. uses a few specific methods to improve password security:


  1. Password Manager – All of our staff use “Sticky Passwords” this program requires one master password and then  automatically stores application and website passwords.
  2. Sticky Passwords backs up online allowing for disaster recovery. Sticky Passwords can be installed on multiple computers so that passwords can travel with the user
  3.  Password PolicyAffirm IT uses a domain level password policy to enforce password requirements and changes
  4.  User Education – All users are aware why we have secure passwords and also how to set a secure password this is a signed   contract between employer and employee
  5. Two Factor Authentication – Where possible Affirm IT employees use a code generated on their mobile phone to login to secure applications. This means even if the password is compromised the criminal would also need access to an employees mobile phone

A few excerpts from Affirm IT Services password policy are shown below (This was constructed using the SANs free for distribution template):



Statement of Guidelines


All passwords should meet or exceed the following guidelines


Strong passwords have the following characteristics:


  • Contain at least 12 alphanumeric characters.
  • Contain both upper and lower case letters.
  • Contain at least one number (for example, 0-9).
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/).

Poor, or weak, passwords have the following characteristics:


  • Contain less than eight characters.
  • Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
  • Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
  • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
  • Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
  • Are some version of “Welcome123” “Password123” “Changeme123”

 You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

(NOTE: Do not use either of these examples as passwords!)




Passphrases generally are used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to unlock the private key, the user cannot gain access.


A passphrase is similar to a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (for example, TheTrafficOnThe101Was*&!$ThisMorning!).


Passwords must be changed every 6 months or If you know or suspect a password has been compromised it must be changed as soon as possible.


Affirm IT Services Ltd. are happy to provide a free review of your current password policy, we are also re-sellers of Sticky Password. For more information on secure passwords please get in touch!  -  0115 753 0123