By Martin Edwards
A password is a secret shared between you and a service — often a
website. To access the service you:
- Identify yourself with a unique but non-secret string like your email address.
- Prove it’s you by entering the corresponding password.
Strong and unique
Hackers use tools to ‘brute force’ entry to services by guessing people’s passwords, starting
with a dictionary of words, place names, obvious numbers and so on. Because of this, we are
encouraged to make strong passwords. While you should avoid single
words or simple word/number combinations, like Blenheim2020, your passwords needn’t be
ludicrously complicated either. In general, the longer the better. One technique is to string
together three or four random words.
Meanwhile, phishing and
data breaches can expose our passwords to others. When this happens,
hackers try the passwords on other popular services. So, if you use the same password on five
accounts and one of them is breached, you should consider all five of them breached. Because of
this, we’re encouraged to make a unique password for each service.
Remembering lots of strong passwords isn’t easy, but there’s a solution.
A password manager stores your passwords, in a protected form, on
your computer or a cloud service. You may use a strong, unique master
password to protect the password manager itself.
It’s true you could achieve the same with a notebook hidden in a drawer, but the password
manager has three advantages:
- It can generate strong passwords for you, so you don’t have to think them up yourself — you
needn’t even know what they are!
- It can automatically fill in your passwords for websites.
- It can protect you from fake sites because it won’t automatically fill in the
password if the domain name doesn't match.
Chrome, Edge, Firefox and Safari all include a basic password manager. They offer optional
online backup and synchronisation of passwords between your computer, tablet and phone; Safari,
for example, uses iCloud Keychain.
If you work with multiple platforms, e.g. a Windows PC, Apple iPad and Samsung (Android) phone
– or you want more features – I recommend 1Password, a
dedicated password manager that works everywhere.
When you choose a password, the website does not store it in a readable form. Instead, it
derives a string called a hash from the password, using a one-way
process. When you enter your password to log in, the same process is performed and the hashes
It’s a bit like mixing paint: combine several colours in specific proportions and you’ll get
the same new colour each time. But you can’t unmix it — you can’t look at the new colour and
work out which original colours went in.
This is why, if you forget a password, there’s no way to retrieve it. Instead, you are asked to
think of a new one — after proving your identity in another way.
Services may offer multiple ways to prove your identity: email, mobile phone, landline phone,
another app or device — and more. Be sure to provide important services with enough
security information they can use in the event of a forgotten
In particular, if you change your email address, make sure to update it for all the services
you use. This reduces the chance that you could become permanently locked out of one of your own
An increasingly held view among experts is that passwords alone, no matter how strong, can’t
offer enough security for modern times. Some companies have already made passwords obsolete for
their staff by providing them with things like smart cards or using biometric identifiers like
fingerprints and iris imaging. The rest of us can greatly increase the security of our personal
accounts using two-factor authentication.