- Good passwords are hard to remember. One good password is hard to remember, but lots of complex passwords is all but impossible.
- Simple passwords are easy to guess or 'brute force'. Attackers know the simple tricks that we use to choose passwords, such as substituting characters for numbers, or using an exclamation mark at the end of a password. They allow for these tricks when they target your password.
- Re-using passwords is tempting when we have lots of accounts. Re-using a password makes it less secure because any attacker that compromises a single account can then try the same credentials against your other accounts.
- Passwords are often stored insecurely. Storing passwords on a sticky note or in a text file on your computer makes it easier for an attacker to learn them.
- Passwords are often reset by email. If your email account is compromised then the attacker can reset passwords to your other accounts to target specific information.
- Passwords are often a single point of failure. Many online services are secured by a password alone. If an attacker can compromise your password they have complete access to that service.
Passwords are the first line of defence to protect yourself from cyber criminals. But if you don't choose good passwords they can easily become the weakest link in protecting your personal information online. As users, we are becoming overloaded with lots of passwords to remember. At the same time improved cracking methods mean that we need to use more complex passwords to have confidence in our security.
What can go wrong with passwords?
What can we do about it?
Use a passwords manager
You can install a password manager on your computer, smartphone or tablet. It will generate and remember secure passwords for you and many password managers will store everything offline so it isn’t easy to breach.
It's important that the master password or passphrase that you use for your password manager be complex because the password manager itself can become a target of attack.
Password managers do come with some potential downsides. This post by the UK National Cyber Security Centre (NCSC) gives a good overview of the pros and cons, explaining why password managers are a good solution for most individuals and small businesses.
What about the browser's password manager?
Many web browsers (including Edge, Safari, Chrome and Firefox) will offer you the opportunity to remember passwords. Some even offer a facility to sync these passwords across your different computers by using a service in the cloud.
These can be very convenient, and are reasonably secure, but also introduce some new risks. In most cases, anyone that can access your computer, phone or tablet can log onto websites as you using the browser's password manager. There have also been cases where the synchronisation services have been compromised.
A good compromise is to set a master password on your browser. Whenever you visit a website requiring a login, the browser will prompt you for the master password (which will always be the same) before automatically entering the site-specific password. The article from the NCSC above gives some more details.
Don't re-use passwords
Every day, websites are hacked and account credentials are stolen and published online.
Hackers try and use these same credentials on other sites to access other accounts. For example, perhaps you used an email address and password combination on an online shopping website. You may have used that same combination for an insurance account, social media account, email account, blogging account and even a professional account.
If you re-use passwords a hacker will potentially have access to all your personal information—enough to commit identity fraud, convincingly scam you or clean out your bank accounts.
To prevent this from happening to you, make sure you use unique passwords for each of your accounts. Using a password manager to generate and store the unique password for you will make this easier.
Use a complex password or a passphrase
It's tempting to use a memorable word and substitute a letter here, a number there or add a punctuation mark. Attackers know all these tricks and they make allowance for them when attacking passwords.
A much better approach is to think of four or five random words to form a simple passphrase. If you choose this strategy, it's important that the words be truly random rather than related or containing personal information.
Another good strategy is to use a password that is derived from a memorable phrase such as this technique from Graham Cluley.
In particular make sure that your password does not include:
- repeated characters
- a single dictionary word (four or five combined is ok)
- your street address or numeric sequences (such as 1234567)
- personal information
- anything you have previously used.
A final approach, as noted above, is to use a password manager. These can easily generate, and remember, a long, strong, unguessable, uncrackable password.
Use multi-factor authentication
Multi-factor or two-factor authentication means there are two checks in place to prove your identity. For example, a code sent to your mobile phone or a biometric credential such as a fingerprint.
If your bank password was compromised and you had two-factor authentication activated on your account, the attacker won't gain access. They would need both levels of authentication.
Multi-factor authentication is highly recommended for your more sensitive accounts such as email (which can be used to reset passwords on most of your other accounts), online financial services and social media accounts.
See the list below for instructions on how to setup multi-factor authentication on your accounts or contact your service provider:
Check your exposure
You can check if your credentials have been exposed in a data breach at have i been pwned?. If they have been exposed change them immediately on all vulnerable accounts i.e. any other accounts that have the same password.