Passwords. Ugh! You use dozens of them every day, but do you really give any thought to how good they are? Are they actually keeping your accounts safe, or are they as secure as leaving a key under the doormat?
Online security can seem both complicated and boring, a lethal combination that means we don't take it as seriously as we should. Yet it doesn't have to be. With just a few simple steps you can lock down all your accounts in no time.
Don't re-use passwords on important accounts...
It's hard enough to remember five passwords, let along 50 or 500. That's why we all get lured into creating one decent password and using it over and over again. You've been told this before: it's a really bad idea.
Here's the problem. Online services get hacked all the time; they get infected with malware; sometimes they just go wrong. And it usually results in a data breach that exposes their users' info.
And is isn't just limited to small or obscure websites. Brands of all sizes and all kinds get hit - from TalkTalk to Teletext Holidays to Marriot Hotels. They've all leaked data at one time or another.
Very often it's email addresses and passwords that get exposed. They get posted (or sold) online where anyone can see them, for whatever reason. If your password happens to be among them, and you've re-used it on other sites, all your accounts on those sites are at risk.
You can check if your email address is associated with any data breaches at haveibeenpwned.com. If it has, make sure you didn't re-use the password associated with the breached account. And if you did, change them now, and make sure they're not on the list of most commonly used passwords.
...but you can on unimportant accounts
All that said, there are times when it is perfectly acceptable to re-use passwords, though we'd recommend tweaking them a little bit to include the initials of the site or service just to add an extra bit of security while still being easy to remember.
While you'll obviously want to lock down accounts that contain your personal or financial details, most of us use countless services and sites where security doesn't matter at all. We're thinking online forums, and other random services that you log into once to maybe ask a question or read an article, and then forget about.
For those that don't contain any kind of personal or finiancial information, and you wouldn't care if you lost access to them tomorrow, feel free to use and re-use simple passwords as much as you like. But you do need to be sure that these accounts don't have access to anything else, such as social media accounts, or display any information you don't want public, such as your email address.
Managing your online security is a hassle. By cutting the number of important passwords you need to track, you can make it just a little easier.
Try using a single sign in on unimportant sites
Chances are you have a Facebook and/or Google account. Both of these should be locked down with very secure passwords as they contain a lot of personal and probably financial details - you don't want anyone getting into them. Many sites allow you to create accounts that are essentially tied to your Facebook or Google account, which means you can securely sign in with those credentials without having to create a whole new account and generate yet another secure password. If your Facebook and Google accounts are secure, they should be, too, and in the event that they do get hacked, changing your Facebook and Google passwords means those other accounts are covered as well.
Think passphrase instead of password
wgW7!@G%^45P. That's what a secure password looks like. It mixes uppercase and lowercase, numbers and special characters, and is pretty well uncrackable. It's also impossible to remember (and incredibly annoying to type).
An easy to remember password is, by definition, a bad password. But there is a neat compromise. When it comes to passwords, it turns out that length can actually be more important than complexity. So instead of coming up with short but complex passwords, try using a passphrase instead.
What is a passphrase? It's a much longer, more memorable alternative. Just pick four or five random words - they need to be genuinely random, don't use song titles or a line from a book - and string them together. You'll find it a whole lot easier to remember, yet the length gives it its security.
Want a bit of extra security? Use some special characters between words. Not all sites allow this, but where they do, take advantage of it. 'ThisRandomPassphrase' can be harder to crack if it's changed to 'This&Random&Passphrase'. If you can remember something slightly more complicated, you can also switch out letters with numbers and symbols that resemble them. For example, replace 'a' with '@' or 'e' with '3', and you have 'This&R@ndom&P@ssphr@s3'. As long as you can remember your scheme, you're good to go.
Use a password manager
Wouldn't it be great if you only ever had to remember one password? It is possible. Many security experts recommend using a password manager, a piece of software that locks and encrypts all your login credentials in a single place. You only need to remember the master password - so make sure it's a good one.
When you use a password manager you don't have to worry about making passwords memorable, so they can be as complex as you like. Most of the tools will offer to generate them for you. As a handy extra, they'll also automatically fill in your details on websites and apps when you visit them.
The best password managers work across your desktop, laptop and phone. Among the ones we recommend are:
What about getting your browser to save your passwords instead? That's also safe up to a point. Browsers do encrypt passwords, although anyone who's got access to your laptop or phone will be able to use them without any further checks.
And the most low-tech password manager of all? A piece of paper, kept in a safe place. We wouldn't recommend it at work, but for many of us it'll be fine at home.
Set up two-factor authentication
Getting your passwords up to scratch is the first step to improving your online security. There's one other thing you should do to properly lock down your most important accounts: use two-factor authentication (2FA).
The techie name doesn't help, but the idea behind 2FA is really simple. When you try to log in to a website or app that has it enabled, you have to enter both your password and one other piece of information - usually a short code sent to your phone by text or to an app. What it means is that even if someone does get hold of your password, they still can't log in to your account unless they have physical access to your phone.
You've probably used it already. Any time a bank texts you a code in order to verify a payment you're making, it's an example of 2FA in action. You can activate 2FA on all your main accounts - Google, Facebook, Amazon, PayPal and so on - and you really should.
If given the choice, use an app rather than SMS, since it's more secure. Authy is the best app to use, and it's pretty easy to set up, too.
Keep it simple
Managing passwords is no-one's idea of a fun afternoon. But weigh it up against the thought of losing access to your email, or having someone get into your bank account, and you realise it's well worth doing. The tips above show that a good security policy is not only safer, it's simpler too. And reducing the number of passwords you have to remember has got to be a good thing, right?
For more advice on online security check out our guides to setting up parental controls on your broadband, and how and why you need to change your router's security settings.
Posted by Andy Betts on in Features