By Andy Coulson
Passwords … We all have dozens and dozens of them. But how many of you have not changed the default password on something you’ve bought, or use the same password for lots of things? If so, you are not alone – the National Cyber Security Centre (NCSC) found that ‘Less than half [of people surveyed] do not always use a strong, separate password for their main email account’. The NCSC did a large survey in 2019, and the summary of the results makes interesting reading.
So, what can you do about this? The NCSC has a list of six key actions:
- Use a strong and separate password for your email.
- Create strong passwords using three random words.
- Save your passwords in your browser.
- Turn on two-factor authentication (2FA).
- Update your devices.
- Back up your data.
This is a good list to work through, and I’ve discussed some of these before, but I’m going to dig into others a little deeper.
Strong and separate
Ideally, you should have a different password for each login. But, like me, I bet you have some types of account that you use the same password for. However, I don’t do this for important things, like banking or email. The NCSC highlights having a different password for your email as being the one to start with. The next problem becomes how to remember all these different passwords, and I’ll pick up on that with password managers, below.
So, what is a good password? You’ve probably seen a password security meter on some sites, where the password is rated from poor/weak to good/strong as you type it. Can you think what gets you into the strong category? Broadly, it’s more characters – the longer the better.
But it’s a little more complicated than that. You need to avoid repeated or sequential characters (like ‘aaa’ or ‘123’) in the password, as these weaken it. It is also crucial to avoid personal information – your name, parts of your address, date of birth, family members’ names and so on – as part of the password.
So where does that get us? ‘B7meapofngh04psnf’ is a strong password, but is a bit tricky to remember, so I’ll let you into a little secret. Most of the time, three or four random words as a phrase will create a really secure password. For example, the password at the start of the para is considered very strong, but so is ‘CanteloupeRiverArtichoke’. Which is easier to remember?
Many sites ask for a mix of upper- and lower-case letters, numbers and symbols. Where sites or apps require this, you can always add a symbol and number to a phrase, such as ‘CanteloupeRiverArtichoke+3’.
- Use separate passwords for at least email and banking, but preferably all your accounts.
- Make passwords long and as random as you can.
- Don’t use personal information, repetition or sequences in passwords.
- If you need to remember a password, use a three- or four-word random phrase.
Testing and checking passwords
Before I dive into this, a word of warning … If you are going to put a password into something, make very sure you know what you are putting it into. It would be very easy to run a ‘check my password’ scam website! However, the sites listed here are, to the best of my knowledge, safe and legitimate. I mention potentially compromised passwords below. This does not mean that someone is misusing the password, it just means that there has been data stolen from somewhere that potentially contains that information. Often these thefts are so large that many passwords are not used, so if your password is ‘potentially compromised’, simply take action and change it as soon as you find out.
First of all, if you use Google there is a built-in password check-up. If you go to your Google account online you will likely see this on the home page. If you click on ‘Take action’, it will highlight passwords potentially compromised in data breaches. You can then go and change those. It will also flag weak passwords and those used on multiple accounts.
Another good resource is ‘have I been pwned’, which sounds rather spammy, but is a highly regarded source of information about data breaches. You can use the site to check if your accounts have been affected by a data breach.
Finally, many websites have a password strength checker that allows you to get a sense of how good your password is. However, if you want to play around with ideas there is a good checker on the bitwarden site (bitwarden is one of the password managers discussed below). This also gives you an idea of how long a typical modern password cracker tool would take to work this out.
Managing your passwords
Many security experts suggest using a password manager to hold your passwords. These are software packages that keep your passwords in a highly encrypted online store, allowing you to use the passwords and logins across devices – so on your laptop, phone and tablet. Essentially you need to remember one, very strong, password to access all your accounts, but each account can then have a different, very strong password. That master password is never stored on the provider’s computer, so even if they are hacked the hacker only accesses the encrypted gobbledygook. Needless to say, your one password needs to be one you can remember, and it needs to be kept safe!
The NCSC article mentioned earlier explains that most modern browsers (Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox) have a built-in password manager. These work well, but it is worth spending a little time understanding the limitations of these. I’m especially impressed with Firefox’s Lockwise, though I’d rather use a separate password manager as it spreads the risk around.
There are a number of well-regarded standalone password managers on the market that provide similar features and a mix of free and paid-for versions. You need to be looking, at a minimum, for end-to-end encryption (this means your passwords are never available as plain text – they are always scrambled except on your device); cross-platform applications (ie you can use them on your laptop, tablet and phone) and secure password generators. Most of them also offer (but you may have to pay for) options such as secure sharing, which allows you and a partner to both have access to a shared account or service, in case, for example, one of you falls ill. I use one called bitwarden, but other well-known packages are LastPass, 1password, KeePass and Dashlane. Dropbox has just added a password manager to some of its paid plans.
2FA – a further level of security
2FA is short for ‘two-factor authentication’. You may be familiar with this from your bank; banks have upgraded their security in the last year or so. This is where, after entering your password, you need to enter a code that is texted or emailed to you, so you use two factors to log in. They often use your phone for one of the factors, as you often have it on you and this means it is more likely to be you.
Many services support using 2FA, including Google and most of the password managers. If you can use 2FA to secure key tools and services it is worth doing, as it makes hacking your accounts even harder.
Good luck and stay safe out there!
In previous What’s e-new articles, Andy has covered accounting, working efficiently in Microsoft Word, Word’s Editor, and useful online resources related to fixing computers, managing time and keeping fit.
Posted by Abi Saffrey, CIEP blog coordinator.
The views expressed here do not necessarily reflect those of the CIEP.