Use Strong, Unique Passwords
Accounts and authentication
Most of us have online accounts with dozens of
organisations, including email and social media platforms, cloud storage and
backup services, financial institutions like banks and pension providers,
and all manner of retailers.
Opening new accounts is a common occurrence — sometimes out of choice, and
sometimes because we’re compelled to as companies and governments move more
processes online.
As a result, we store an increasing amount of our private information on
computers that aren’t our own. These computers are called
servers or the cloud.
Because servers collectively store information for billions of people,
there needs to be a way to ensure that each person’s information is
available only to its rightful owner. The process of proving our identity in
order to access a resource is called authentication.
Various means of authentication exist, but the most familiar and still most
abundant is the password. A password is a secret shared
between you and a service you use. To access the service, you first identify
yourself with something unique but non-secret like your email address, then
prove it’s you by entering the corresponding password. These two
pieces of information together are called credentials.
Strong and unique
Criminals attempt to ‘guess’ people’s passwords, starting with a dictionary
of words, place names, obvious numbers and so on. In other words, they try
lots of possible passwords until one works. This is called a brute
force attack, and the process is automated and fast — after all,
computers are ideally suited to such tasks.
Because of this, we’re encouraged to make strong passwords that
would take an impractically long time to guess. This doesn’t mean they need
to be so complicated that you have no chance of remembering them, but on the
other hand, you should avoid single words or simple word–number combinations
like Sheffield123. One technique is to string together three or four random
words, like CorrectHorseBatteryStaple.
Meanwhile, phishing (see
Recognise Social Engineering) and data
breaches (see Accept That Data Breaches Happen)
can leak our passwords to nefarious individuals or the world at large. When
this happens, the password and the affected account are said to be
compromised.
Not only might an attacker use compromised credentials to log into the
account in question, but they’ll also try the password on other popular
websites, because people often use the same password for several accounts.
So, if you use the same password on five accounts and one of them is
compromised, you should consider all five of them compromised. To mitigate
this risk, we’re encouraged to make a unique password for each of
our accounts.
For advice on securing a compromised account, see
Appendix: Secure a Compromised Account.
Password managers
Remembering lots of strong passwords isn’t easy, but there’s a solution. A password manager stores your passwords, in a protected form, on your device or a cloud service. You may use a strong, unique master password to protect the password manager itself.
It’s true you could achieve the same with a notebook hidden in a drawer, but the password manager has three advantages. First, it can generate strong passwords for you, so you don’t have to think them up yourself — you needn’t even know what they are! To begin with, the idea of not knowing one’s own password for, say, ordering repeat prescriptions can seem strange. But it’s actually quite liberating, and in the unlikely event that something happens to your password manager and your stored passwords are lost, you can just request a password reset from the pharmacy.
Second, a password manager can automatically fill in your passwords on websites, saving you from having to type them when you log in. This allows the passwords to be really complex without the associated inconvenience of carefully typing them.
Finally, a password manager can protect you from fake websites. Each stored password is associated with the domain name (see Appendix: Understand URLs) of the associated site — this is how the password manager knows which password to fill in for you. If you stumble upon a fake website, perhaps as the result of phishing (see Recognise Social Engineering), you’ll notice the password is not automatically filled in because the domain name doesn’t match. This is your cue to become suspicious.
Chrome, Edge, Firefox and Safari all include a basic password manager. They offer optional online backup and synchronisation of passwords between your computer, tablet and smartphone.
If you work with multiple platforms, e.g. a Windows PC, Apple iPad and Samsung (Android) phone, consider a dedicated password manager like 1Password. This works across all those devices, and offers additional benefits like secure storage of notes — for example your National Insurance and NHS numbers.
It is widely accepted among experts that the benefits of using a password manager outweigh the risks.
Forgotten passwords
When you create an account, the server holding your details does not store your chosen password in a readable form. Instead, it derives a sequence of letters and numbers called a hash from the password using a one-way process. When you enter your password to log in, the same process is performed and the hashes – not the passwords themselves – are compared.
It’s a bit like mixing paint: combine several colours in specific proportions and you’ll get the same new colour each time. But you can’t unmix it; someone who’s only seen the new colour can’t work out which original colours went in.
The storage of password hashes makes it enormously less likely that a nefarious third party, or indeed a rogue employee of the company holding the accounts, can figure out customers’ passwords in the event that the database is compromised. But it is also why, if you forget a password, there’s no way to retrieve it. Instead you are asked to make up a new one, after proving your identity in some other way.
Services may offer multiple ways to prove your identity: receiving a code via email, text message, or phone call; using another app or device; and more. They might also allow you to designate other people you trust with this ability. Be sure to provide important services with enough of this security information so that you can prove your rightful ownership of your accounts in the event that you forget a password.
If you change your email address or phone number, be sure to update these for all the services you use. This reduces the chance that you will one day become permanently locked out of one of your own accounts. It’s a tedious task, so consider making a list of your accounts and updating a few each day.
Beyond passwords
It’s now widely accepted that passwords alone, no matter how strong, don’t
offer enough security for modern times. In future, they might even become
obsolete in favour of something better. In the meantime, we can greatly
increase the security of our accounts using two-factor authentication and
passkeys, which are explained in the next two chapters.
What you can do
- Use strong, unique passwords. Avoid simple combinations of words, names
and numbers; and don’t use the same password for more than one
website.
- Use a password manager to generate and store your passwords. It takes
the hassle out of creating strong, unique passwords — making it more
likely that you will do so.
- For each of your online accounts, keep your security information up to
date. It’s particularly important that the email address and mobile phone
number each company has for you are correct, as these are the most common
ways to prove your identity if you get locked out.