Capita YCB Pension

I received the letter from Capita yesterday (19th June 2023) with no date on it and have been very disappointed by its content.

As a security expert, I’m just going to concentrate on one aspect from a technical viewpoint, namely passwords.

There is a single bullet point under the heading “Steps you can take to protect your data

  • “use strong passwords and change them regularly. Try and keep them at least eight characters long and use numbers, upper case, lower case, and symbols”

Further down the letter they also say “If you’re at all worried about your online security, please go to the National Cyber Security Centre website to find out how to stay safe:”

Important note: National Cyber Security Centre is

( equates to Netley Cliff Sailing Club, Southampton )

There is a lot of sound password advice and I’ll highlight the most pertinent aspects.

Don’t enforce regular password expiry” – so don’t regularly change passwords just for the sake of changing them.

That said, there is a caveat which is emphasised heavily after explaining why regularly changing passwords is pointless, namely – “Note: Users must change their passwords when you know (or suspect) it has been compromised.

And finally, on passwords, NCSC advise using three random words to create a password. There seems to be a reluctance these days to define a minimum length. Suffice it to say the single biggest factor affecting the entropy (i.e. effectiveness) of a password is the length. The most commonly advised minimum password currently seems to be twelve. Ask any hacker and eight just isn’t secure enough in today’s world.

So, please change your password now, making it long (I’d say at least 16 characters) and don’t re-use anything you have previously used on any other login before.