Password Security Policy

Reading Time: 4 minutes

We take security seriously in every area – and the most common method of security, most people nowadays are very familiar with, is the password.

In the privileged position of being trusted with your user security – we would like take this opportunity to share with you, and encourage adoption of, our Password Security Policy – for your personal and work security needs – and the wider contribution we may be able to make to security education, and encouragement of personal data security responsibility for all our service users and peers.

Password security is a long subject, and the quickest and most user-friendly method of increased security for your passwords, that we can recommend, is simple longer passwords, [1], that are unique for every website and service you use.

This site offers you an option to set your own login directly, and your login will be encrypted by your browser before being transmitted to our servers, where it is stored encrypted-at-rest – meaning, we cannot see or ever recover your passwords because we just don’t have them stored in any way that could enable decryption.

Plus, our internal server network traffic and disks are encrypted too, for additional layers of best-practice protection – with the same minimum password security and multi-factor authentication protections that we recommend.

If you forget or lose access to your password – your only method or recover is with a password reset or contacting us to answer some security questions to verify your account ownership – and then the team will only be able to advise you of your recorded email and trigger a password reset email link to be sent to you.

Or you can use one of the social login services, from platforms expected to maintain similar security systems for your logins credentials, for your ease of having less logins to remember or save, and reassurance of high security standards being a priority for recognisable platforms, relying on high-levels of user-security trust.

12-characters or more

We only have one rule for the strength of your password – for it to be 12-characters or more – because it is the most significant factor in protection against brute-force attacks – and character-complexity makes passwords more difficult to remember and therefore encourages more repeat usage, which we recommend you avoid. [2] [3] [4] [5].

If you need to create a password that you cannot store in a password manager because you need to remember it, or it is the password you use to open your password manager, then phrases can be easier to remember – but don’t use things like common expressions or song-lyrics, that hackers could build databases of to also try – but things like: “dadlovesstatusquo”, “orangechocolatewine” etc.

Password Managers

We also strongly recommend using a password manager like that provided by your browser, or an extension service like Enpass (Brandlight recommended), Bitwarden (Brandlight recommended) or similar alternatives (Password Managers are compulsory for our team) for the convenience they afford in saving unique, lengthy and complex passwords.

Password manager services will then alert you to potential site breaches, duplicate password usage, and suggest which sites you should change your passwords with – including if one of the social login services were ever to have any issues – and if they did, we would disable their usage for a period of time until they had announced the issue is resolved and all users have been encouraged to reset their passwords on that platform.

Two-Factor Authentication (2FA)

Also known as Multi-Factor Authentication (MFA)

We have also made available the option to add two-factor authentication to you login for additional security from your My Account Dashboard.

Ideally, you should use a Password Manager like Enpass (Brandlight recommended) or Bitwarden (Brandlight recommended) where you can save the TOTP code alongside your login & password and it will display your 2FA/MFA code updating every 30 seconds, making it easier to login using just one application or change Password Mangers later if you choose.

Otherwise these are all trusted free options we recommend have been tested and confirmed working by our team:

  • Authy – works on smartphones and desktop, synched between devices. (Brandlight recommended)
  • FreeOTP – works on smartphones-only at the time of writing but no synching between devices.
  • Google Authenticator – smartphones-only at the time of writing but no synching between devices.
  • LastPass Authenticator – smartphones-only at the time of writing and push-authentication, synched between devices.

This gives you the strongest possible protection – and currently is the highest possible method of security that we support and recommend.

TOTP (Time-based One-Time Passcode)

The quickest and easiest way to use 2FA/MFA, is by copying the “Private Key (32 bit)” value from My Account > Edit Account > Private Key (the first 16-digit value) into your modern password manager’s TOTP field, for the matching website record.

This way, when you get to the login 2FA page, to insert your 6-digit one-time-passcode, you can click on your password manager browser extension, then info for the website record – the TOTP field should show the one-time-passcode, updated every 30-seconds, double-clicking on that should populate it and that’s you logged in with 2FA/MFA as fast as possible without needing to copy/paste from a separate app.

Security and login feedback

Please stay safe online – and let us know if you have any questions, suggestions or feedback on this policy, our login procedures or anything else.

User feedback is our single most valuable insight into how we can help make things better for you – and we promise we will always read and reply to every message in respect of the trust and opportunity to make our part of the web work for everyone.

Footnotes & References

  1. Password Security: Complexity vs Length[]  
  2. Estimating Password Cracking Times[]  
  3. Designing Password Policies for Strength and Usability – Shay et al. 2016[]  
  4. Your Pa$$word doesn’t matter – Alex Weinert, Microsoft[]  
  5. Microsoft Password Guidance[]  

Leave a Reply

Main Menu

Preferences

  • Currency
  • Language
  • Delivery Country