Use Strong, Unique Passwords
Most of us have online accounts with dozens of organisations. They include email and other communication platforms like social media; backup and storage systems like Dropbox and OneDrive; financial organisations like banks and pension providers; and all manner of retailers and services. Opening new accounts is a common occurrence — sometimes out of choice, and sometimes because we are compelled to as companies and governments move more processes online.
As a result, we are storing an increasing amount of our private information on computers that aren’t our own. These computers are called servers, or sometimes ‘the cloud’. Because servers collectively store information for billions of people, there needs to be a way to ensure that each person’s information is available only to its rightful owner (and perhaps others with whom they choose to share it). The process of proving our identity in order to access a restricted resource is called authentication.
Various means of authentication exist, but the most familiar and still most abundant is the password. A password is a secret shared between you and a service you use. To access the service, you first identify yourself with something unique but non-secret like your email address, then prove it’s you by entering the corresponding password. These two pieces of information together are often called credentials.
Strong and unique
Criminals attempt to ‘guess’ people’s passwords, starting with a dictionary of words, place names, obvious numbers and so on. In other words, they try lots of possible passwords until one works. This is known as a brute force attack, and the process is automated and fast — after all, computers are ideally suited to such tasks.
Because of this, we are encouraged to make strong passwords that take longer to guess. While you should avoid single words or simple word–number combinations, like Edinburgh789, your passwords needn’t be ludicrously complicated either. One technique is to string together three or four random words. In general, the longer your password the better.
Meanwhile, phishing (see Recognise Social Engineering) and data breaches (see Accept That Data Breaches Happen) can leak our passwords to nefarious individuals or to the world at large. When this happens, the password and the affected account are said to be compromised.
Not only might an attacker use compromised credentials to log into the account in question, but they’ll also try the password on other popular websites, because people often use the same password for several accounts. So, if you use the same password on five accounts and one of them is compromised, you should consider all five of them compromised. To mitigate this risk, we are encouraged to make a unique password for each of our accounts.
For advice on securing a compromised account, see Appendix: Secure a Compromised Account.
Remembering lots of strong passwords isn’t easy, but there’s a solution. A password manager stores your passwords, in a protected form, on your device or a cloud service. You may use a strong, unique master password to protect the password manager itself.
It’s true you could achieve the same with a notebook hidden in a drawer, but the password manager has three advantages. First, it can generate strong passwords for you, so you don’t have to think them up yourself — you needn’t even know what they are! To begin with, the idea of not knowing one’s own password for, say, ordering repeat prescriptions can seem strange. But it’s actually quite liberating, and in the unlikely event that something happens to your password manager and your stored passwords are lost, you can just request a password reset from the pharmacy.
Second, a password manager can automatically fill in your passwords on websites, saving you from having to type them when you log in. This allows the passwords to be really complex without the associated inconvenience of carefully typing them.
Finally, a password manager can protect you from fake websites. Each stored password is associated with the domain name (see Appendix: Understand URLs) of the associated site — this is how the password manager knows which password to fill in for you. If you stumble upon a fake website, perhaps as the result of phishing (see Recognise Social Engineering), you’ll notice the password is not automatically filled in because the domain name doesn’t match. This is your cue to become suspicious.
Chrome, Edge, Firefox and Safari all include a basic password manager. They offer optional online backup and synchronisation of passwords between your computer, tablet and smartphone.
If you work with multiple platforms, e.g. a Windows PC, Apple iPad and Samsung (Android) phone, consider a dedicated password manager like 1Password. This works across all those devices, and offers additional benefits like secure storage of notes — for example your National Insurance and NHS numbers.
It is widely accepted among experts that the benefits of using a password manager outweigh the risks.
When you create an account, the server holding your details does not store your chosen password in a readable form. Instead, it derives a sequence of letters and numbers called a hash from the password using a one-way process. When you enter your password to log in, the same process is performed and the hashes – not the passwords themselves – are compared.
It’s a bit like mixing paint: combine several colours in specific proportions and you’ll get the same new colour each time. But you can’t unmix it; someone who’s only seen the new colour can’t work out which original colours went in.
The storage of password hashes makes it enormously less likely that a nefarious third party, or indeed a rogue employee of the company holding the accounts, can figure out customers’ passwords in the event that the database is compromised. But it is also why, if you forget a password, there’s no way to retrieve it. Instead you are asked to make up a new one, after proving your identity in some other way.
Services may offer multiple ways to prove your identity: receiving a code via email, text message, or phone call; using another app or device; and more. They might also allow you to designate other people you trust with this ability. Be sure to provide important services with enough of this security information so that you can prove your rightful ownership of your accounts in the event that you forget a password.
If you change your email address or phone number, be sure to update these for all the services you use. This reduces the chance that you will one day become permanently locked out of one of your own accounts. It’s a tedious task, so consider making a list of your accounts and updating a few each day.
An increasingly held view among experts is that passwords alone, no matter how strong, can’t offer enough security for modern times.
Some companies have already made passwords obsolete for their staff by providing them with smart cards or using biometric identifiers like fingerprints and iris imaging.
The rest of us can greatly increase the security of our personal accounts using two-factor authentication, which is explained in the next chapter.
What you can do
- Use strong, unique passwords. Avoid simple combinations of words, names and numbers; and don’t use the same password for more than one website.
- Use a password manager to generate and store your passwords. It takes the hassle out of creating strong, unique passwords — making it more likely that you will do so.
- Keep your security information up to date. It’s particularly important that the email address and mobile phone number on your accounts are correct, as these are the most common ways to prove your identity if you get locked out.