Passwords

A password is a secret shared between you and a service — often a website. To access the service you:

1. Identify yourself with a unique but non-secret string like your email address.
2. Prove it’s you by entering the corresponding password.

Strong and unique

Hackers use tools to ‘brute force’ entry to services by guessing people’s passwords, starting with a dictionary of words, place names, obvious numbers and so on. Because of this, we are encouraged to make strong passwords. While you should avoid single words or simple word/number combinations, like Blenheim2020, your passwords needn’t be ludicrously complicated either. In general, the longer the better. One technique is to string together three or four random words.

Meanwhile, phishing and data breaches can expose our passwords to others. When this happens, hackers try the passwords on other popular services. So, if you use the same password on five accounts and one of them is breached, you should consider all five of them breached. Because of this, we’re encouraged to make a unique password for each service.

Password managers

Remembering lots of strong passwords isn’t easy, but there’s a solution.

A password manager stores your passwords, in a protected form, on your computer or a cloud service. You may use a strong, unique master password to protect the password manager itself.

It’s true you could achieve the same with a notebook hidden in a drawer, but the password manager has three advantages:

• It can generate strong passwords for you, so you don’t have to think them up yourself — you needn’t even know what they are!
• It can automatically fill in your passwords for websites.
• It can protect you from fake sites because it won’t automatically fill in the password if the domain name doesn't match.

Chrome, Edge, Firefox and Safari all include a basic password manager. They offer optional online backup and synchronisation of passwords between your computer, tablet and phone; Safari, for example, uses iCloud Keychain.

If you work with multiple platforms, e.g. a Windows PC, Apple iPad and Samsung (Android) phone – or you want more features – I recommend 1Password, a dedicated password manager that works everywhere.

Forgotten passwords

When you choose a password, the website does not store it in a readable form. Instead, it derives a string called a hash from the password, using a one-way process. When you enter your password to log in, the same process is performed and the hashes are compared.

It’s a bit like mixing paint: combine several colours in specific proportions and you’ll get the same new colour each time. But you can’t unmix it — you can’t look at the new colour and work out which original colours went in.

This is why, if you forget a password, there’s no way to retrieve it. Instead, you are asked to think of a new one — after proving your identity in another way.

Security information

Services may offer multiple ways to prove your identity: email, mobile phone, landline phone, another app or device — and more. Be sure to provide important services with enough security information they can use in the event of a forgotten password.

In particular, if you change your email address, make sure to update it for all the services you use. This reduces the chance that you could become permanently locked out of one of your own accounts.

Beyond passwords

An increasingly held view among experts is that passwords alone, no matter how strong, can’t offer enough security for modern times. Some companies have already made passwords obsolete for their staff by providing them with things like smart cards or using biometric identifiers like fingerprints and iris imaging. The rest of us can greatly increase the security of our personal accounts using two-factor authentication.