These days most people have a long list of accounts online, from social media to shopping. It's simply not safe to use the same password for different account logins, yet keeping track of multiple passwords can be a nightmare. This short guide explains how to choose the right passwords and how to keep 'em secure.
Why do I need to worry about my passwords? Passwords are paramount to protecting yourself online. In most cases, they're the only thing stopping others from accessing your private data. As Tony Neate, CEO of the Government-backed resource Get Safe Online, says: "Passwords are our first line of defence against cyber criminals online."
But why do I need so many of them? The key to keeping your online accounts secure is to use a strong and, crucially, unique password for each.
Many of us are guilty of using the same password again and again – in our Nov 2015 poll, only 12% of you said you used different passwords for every account – but it simply isn't secure. If a website you use is hacked and your password stolen, anyone that gets hold of it can also break in to your other accounts which have the same password.
Sadly, as shown by recent hacks at sites such as LinkedIn and Dropbox, in which millions of account details were stolen, these are not uncommon. (You can check if you've been compromised in many recent breaches using the HaveIBeenPwned? tool.)
So how do I pick strong passwords for my accounts? There are different schools of thought on this – there's no single best way, so just see what works best for you.
Get Safe Online suggests you start with three random words, and include lower- and upper-case letters. To make it more secure, add in numbers and symbols (such as @ # $ % ^ & *) – and make it at least eight characters long.
Another alternative is to make up a memorable phrase or sentence, and take the first letter from each word to create a sequence.
Ultimately, your password shouldn't be easily guessed – so don't include your username or other public info – and must be easy for you to remember. For a full list of do's and don't's, see Get Safe Online.
That's all very well, but how am I expected to remember them all? That's a very good point – it can be a real challenge if you have lots of online accounts (and that's why many end up just using the same one). One solution is the system Martin's come up with for choosing strong passwords in a way you'll be able to remember. See Martin's blog for full step-by-step help, but in brief:
- Establish a number of key words. Pick words that mean something to you but aren't obvious or guessable – start with one or two until those are cemented in your head.
- Establish a few key numbers. Avoid obvious dates like your birthday.
- Create passwords using a combination of both. Use the words or numbers forwards or backwards, capitalised or not capitalised.
- Note the password down IN CODE somewhere safe and convenient. Never write the full words or numbers down, use codewords or an alphabet grid to 'encrypt' them.
That sounds like a lot of work, and I STILL don't trust myself to remember them all... If you need help keeping track of them, consider using a password manager. This is a piece of software that will securely store all your passwords for you, only to be accessed by you using a single 'master password' – it will also offer to generate unique, randomised alternatives for your existing passwords should you choose to reset them.
They can be a bit of a faff to set up, but once you've saved all your logins and chosen a master password, you'll be able to access your full list of passwords in one of the following ways:
- Manually by looking up the password. You log in to the password manager website or app using your master password (or your smartphone's fingerprint scanner), look up the password for your relevant account, then copy and paste it into the site you're logging in to (say, Facebook).
- Automatically via a browser extension. This is a clever piece of software you can install on your browser (eg, Chrome or Internet Explorer) that will automatically fill in your username and password when you visit the relevant site, though you'll need to enter your master password into the extension from time to time to verify it's you.
Don't use your master password anywhere else, and DO NOT FORGET IT. Password managers won't usually store this so there's often no way to recover it, meaning you'll probably have to reset all your passwords, which would be a real pain.
Isn't a password manager putting all my eggs in one basket? How secure are they? Unsurprisingly, password managers take security very seriously (it's why they exist, after all). At the risk of getting technical, they typically use strong '256-bit Advanced Encryption Standard' encryption to make reading your data very difficult, among other measures. Some password managers also use 'two factor-authentication', whereby a second login step using a different device is required (eg, you may be texted a code to enter online).
Having said that, no solution is ever 100% secure and it's always possible a password manager itself could be hacked (though if it was, the hackers would still have to decrypt your data). At the end of the day, they're more secure than the vast majority of websites.
I'm intrigued, where can I find a password manager? There are tons to choose from – tech website TechRadar has a comprehensive list. Here are a few well-reviewed ones:
- LastPass is well-reviewed and offers a free version (with ads) which syncs across all your devices, or an ad-free paid-for version for $12/year (£10) with a couple of additional features. It also uses two-factor authentication.
- 1Password offers a free one-month trial, and then costs $35.88/year (£29), or $59.88/year (£48) for a family plan for up to five. It's feature-rich and its apps are particularly slick. It requires an additional account key in lieu of two-factor authentication.
And finally, should I write my passwords down? Generally speaking, this isn't a good idea. But as with everything to do with passwords, there's a balance to be struck between security and convenience.
If you absolutely must put them on paper, encrypt them in a way that is familiar to you but makes them indecipherable by others (see Martin's tip above on this).