NCSC: Using your pet’s name as a password is very stupid

The National Cyber Security Centre (NCSC) has issued a fresh warning over the dangers of using easily hackable passwords, ahead of National Pet Day, which falls on 11 April.

This comes as a study conducted on behalf of the NCSC by Kantar and OnLineBus found that 15% of Brits are using their pet’s name as a password to protect their online accounts – with family members’ names, significant dates and favourite sports teams, and the word “password”, also proving popular.

This flies in the face of all consumer cyber hygiene advice, and cumulatively leaves millions of accounts exposed. Since the start of the pandemic, the average person has created up to six new online accounts, so the scale of the problem is almost certainly growing.

“We may be a nation of animal lovers, but using your pet’s name as a password could make you an easy target for callous cyber criminals,” said the NCSC’s policy and comms director, Nicola Hudson.

“I would urge everybody to visit cyberaware.gov.uk and follow our guidance on setting secure passwords,” she said.

“You can even use our Cyber Action Plan tool to generate tailored, free-of-charge advice to improve your security against online attacks,” said Hudson.

Weak passwords can of course be quickly and easily guessed by a malicious actor using simple trial and error techniques, and the NCSC’s current guidance is to use a password made up of three random words that do not incorporate words that are meaningful to you or have some kind of relationship to one another.

As an example, Brimstone, Moscow, Daffodil would be acceptable, but a password containing the names of Friends characters Ross, Phoebe and Monica is still easily linked and ill-advised, particularly if a malicious actor has established you’re a fan of the show.

It is particularly important to pay attention to creating a strong and entirely separate password for your main email account, as if this is compromised it then becomes easy for an attacker to compromise other services you use, and take over online banking or social media.

Storing passwords in your web browser or paying for a password vault service are both quite reasonable means of managing your passwords. Some people prefer to write them down on paper, which can be acceptable in some circumstances, but requires you to assess and accept some level of offline risk.

Proofpoint international cyber security strategist Adenike Cosgrove said that the human desire for convenience and the difficulty of remembering complex passwords means that without fundamental change, this kind of problem would persist. 

“As we look ahead, there is the potential that security advice will be to move away from passwords altogether,” she said. “We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password.

“This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks. Relying on passwords may be a thing of the past.”