Everyday Security in an Online World

Use Strong, Unique Passwords

Accounts and authentication

Most of us have online accounts with dozens of organisations, including email and social media platforms, cloud storage and backup services, financial institutions like banks and pension providers, and all manner of retailers.

Opening new accounts is a common occurrence — sometimes out of choice, and sometimes because we’re compelled to as companies and governments move more processes online.

As a result, we store an increasing amount of our private information on computers that aren’t our own. These computers are called servers or the cloud.

Because servers collectively store information for billions of people, there needs to be a way to ensure that each person’s information is available only to its rightful owner. The process of proving our identity in order to access a resource is called authentication.

Various means of authentication exist, but the most familiar and still most abundant is the password. A password is a secret shared between you and a service you use. To access the service, you first identify yourself with something unique but non-secret like your email address, then prove it’s you by entering the corresponding password. These two pieces of information together are called credentials.

Strong and unique

Criminals attempt to ‘guess’ people’s passwords, starting with a dictionary of words, place names, obvious numbers and so on. In other words, they try lots of possible passwords until one works. This is called a brute force attack, and the process is automated and fast — after all, computers are ideally suited to such tasks.

Because of this, we’re encouraged to make strong passwords that would take an impractically long time to guess. This doesn’t mean they need to be so complicated that you have no chance of remembering them, but on the other hand, you should avoid single words or simple word–number combinations like Sheffield123. One technique is to string together three or four random words, like CorrectHorseBatteryStaple.

Meanwhile, phishing (see Recognise Social Engineering) and data breaches (see Accept That Data Breaches Happen) can leak our passwords to nefarious individuals or the world at large. When this happens, the password and the affected account are said to be compromised.

Not only might an attacker use compromised credentials to log into the account in question, but they’ll also try the password on other popular websites, because people often use the same password for several accounts. So, if you use the same password on five accounts and one of them is compromised, you should consider all five of them compromised. To mitigate this risk, we’re encouraged to make a unique password for each of our accounts.

For advice on securing a compromised account, see Appendix: Secure a Compromised Account.

Password managers

Remembering lots of strong passwords isn’t easy, but there’s a solution. A password manager stores your passwords, in a protected form, on your device or a cloud service. You may use a strong, unique master password to protect the password manager itself.

It’s true you could achieve the same with a notebook hidden in a drawer, but the password manager has three advantages. First, it can generate strong passwords for you, so you don’t have to think them up yourself — you needn’t even know what they are! To begin with, the idea of not knowing one’s own password for, say, ordering repeat prescriptions can seem strange. But it’s actually quite liberating, and in the unlikely event that something happens to your password manager and your stored passwords are lost, you can just request a password reset from the pharmacy.

Second, a password manager can automatically fill in your passwords on websites, saving you from having to type them when you log in. This allows the passwords to be really complex without the associated inconvenience of carefully typing them.

Finally, a password manager can protect you from fake websites. Each stored password is associated with the domain name (see Appendix: Understand URLs) of the associated site — this is how the password manager knows which password to fill in for you. If you stumble upon a fake website, perhaps as the result of phishing (see Recognise Social Engineering), you’ll notice the password is not automatically filled in because the domain name doesn’t match. This is your cue to become suspicious.

Chrome, Edge, Firefox and Safari all include a basic password manager. They offer optional online backup and synchronisation of passwords between your computer, tablet and smartphone.

If you work with multiple platforms, e.g. a Windows PC, Apple iPad and Samsung (Android) phone, consider a dedicated password manager like 1Password. This works across all those devices, and offers additional benefits like secure storage of notes — for example your National Insurance and NHS numbers.

It is widely accepted among experts that the benefits of using a password manager outweigh the risks.

Forgotten passwords

When you create an account, the server holding your details does not store your chosen password in a readable form. Instead, it derives a sequence of letters and numbers called a hash from the password using a one-way process. When you enter your password to log in, the same process is performed and the hashes – not the passwords themselves – are compared.

It’s a bit like mixing paint: combine several colours in specific proportions and you’ll get the same new colour each time. But you can’t unmix it; someone who’s only seen the new colour can’t work out which original colours went in.

The storage of password hashes makes it enormously less likely that a nefarious third party, or indeed a rogue employee of the company holding the accounts, can figure out customers’ passwords in the event that the database is compromised. But it is also why, if you forget a password, there’s no way to retrieve it. Instead you are asked to make up a new one, after proving your identity in some other way.

Security information

Services may offer multiple ways to prove your identity: receiving a code via email, text message, or phone call; using another app or device; and more. They might also allow you to designate other people you trust with this ability. Be sure to provide important services with enough of this security information so that you can prove your rightful ownership of your accounts in the event that you forget a password.

If you change your email address or phone number, be sure to update these for all the services you use. This reduces the chance that you will one day become permanently locked out of one of your own accounts. It’s a tedious task, so consider making a list of your accounts and updating a few each day.

Beyond passwords

It’s now widely accepted that passwords alone, no matter how strong, don’t offer enough security for modern times. In future, they might even become obsolete in favour of something better. In the meantime, we can greatly increase the security of our accounts using two-factor authentication and passkeys, which are explained in the next two chapters.

What you can do

If you found this useful, you can support my work by buying me a coffee.