Each year on May 4th, people celebrate Star Wars, but the day is also marked annually by World Password Day. Far more boring, yes, but also much more important.
Important, that is, for the security of any account you happen to hold online. It’s a well-known fact that far too many people still use the same password for different accounts – maybe even all of them.
It doesn’t take a tech expert to figure out that this is extremely risky. If a hacker manages to steal your login details for one account – perhaps through a single company’s sloppy security practices where they store your password in plain text – chances are they’ll try those same details and see if they can log into financial websites, social media accounts and shopping sites to get more of your personal details and even take your money.
Nord Security, which runs NordVPN and NordPass, put together a list of the top 200 passwords used in 2022 used in 2022. A staggering 83% of them can be cracked in a matter of seconds which means a hacker wouldn’t even need to stumble across a database of unencrypted passwords: software (including some of the latest AI tools) can do the job for them.
Of course, there are various things you can do to keep your accounts safe, with the most obvious one to use the strongest possible password that would take a computer millions of years to crack. The longer a password is, the stronger it is: a fact too few people know.
Get a password manager
In an ideal world you wouldn’t use that single strong password for every account: you’d have a different strong one for each of them.
And the only way that’s feasible is if you start using a password manager such as Bitwarden or even the one built into your web browser.
Password managers securely store not just your passwords but also your email address and usernames that are also required to log into an account. Better still – and this is surely the key reason to use a password manager – they can automatically fill in those details whenever you see a login screen.
All you have to remember is one ‘master password’ which keeps the logins in the password manager safe. But if your phone, laptop or tablet has some kind of biometric authentication – such as a fingerprint reader or face recognition – then you don’t even have to type in that master password.
Once installed, a password manager will offer to remember the details whenever you log into a website for which there is no matching login. So it’s really no hassle to start using one.
They can also generate strong passwords for you, and some can also dream up unique usernames that don’t contain your real name. They can often highlight any duplicate passwords you’ve used across different accounts, too, so you can change them all to unique passwords.
You might already use the password manager built into your web browser or phone (such as Google Chrome or Apple Keychain). That’s a good start, but it’s most convenient to use a password manager which works on all your devices. This way you’ll have your logins at your fingertips even if you don’t use Chrome or Apple products exclusively.
Here’s how to use a password manager.
Turn on two-factor authentication
The other useful thing you can do in addition to using a password manager is to enable two-step verification on every account and service that supports it.
Banks already use this system to keep your money safe, but you’ll find you can also use it with some email accounts, home security systems and other services.
Honestly, using 2FA is less convenient but it’s a whole lot more secure than a password alone. Even if someone gets hold of your password, they won’t be able to enter the second piece of security information, unless they also have access to your phone or email account which is unlikely.
Often, that second ‘factor’ is a numeric code sent to you by email or SMS and you type it in after your normal email address and password combo.
A few well-known companies that offer two-factor authentication include Google, Apple, Nest, Facebook, Instagram, Twitter, Microsoft, Dropbox, LinkedIn, Snapchat and Yahoo accounts, among others.
Strong, complex passwords are great, but they’re only great if the service you use them with is secure and stores your details – including password – in an encrypted format. That’s why two-factor authentication is the best way, currently, to keep your accounts really secure.
Expert tips for keeping passwords safe
Here’s what the experts say about protecting passwords and ensuring they can’t fall into the wrong hands.
Raj Samani, Chief Scientist and McAfee Fellow says, “Passwords which include personal information, such as your name, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online, making it easier for online criminals to make guesses about your password.
You should also never share a password, even with a close relative. While this may seem harmless, sharing these details could result in critical personal information falling into the wrong hands. In fact, McAfee recommends changing your passwords about every three months at a minimum. This is so that if a password has been shared or compromised, the safety of your online information has a higher chance of being kept safe by making this change.”
Hosting provider Fasthosts recommends using passphrases instead of passwords. Where a password may be a word or sequence of characters, a passphrase combines multiple words to create a complex form of authentication. This makes them much easier to remember, but also makes them much more difficult for people or bots to crack.
A strong passphrase should contain at least 15 characters – a mix of letter cases, numbers and special characters. You could also use obscure words and maybe a word in a different language. Whatever you use, the words should be memorable to you, but difficult for someone else to guess. Passphrases are a great defence against password cracking tools and brute force attacks.
Hidden24‘s Fredrik Bernsel recommends keeping your passwords stored locally and not in the cloud. “I keep my logins in a password manager on my computer’s hard drive, which is encrypted. I don’t use any syncing capability to avoid all my passwords being stored in the cloud, which adds unnecessary risk.”
“It’s fine to allow your web browser to store those logins for websites but, again, only if they’re still stored on your hard drive and not in the cloud. I’d also recommend using the longest passwords you can: 32 characters is best as the longer they are, the harder they are to crack.”
Security and convenience don’t always go hand in hand, but it’s worth trading off some convenience for extra security. Even if you only use some of these tips for your highest-risk accounts – such as your bank – it’s worth it.
Bitwarden is one of the few password managers which offers a self-hosting option for those – like Fredrik – who don’t want their logins stored in the cloud. The company also had some other top tips to offer:
- Not every piece of login information needs to go in the password manager
- Two-factor authentication information could be kept outside of the password manager
- Consider “peppering” a password kept in the password manager with extra characters that only the user knows. After populating the password with the password manager, manually add this “pepper”
For example, you could have a system where your passwords end in !Pwd, but you don’t include that part when you store the password in your password manager. Then, even if in the very unlikely event that someone managed to hack your encrypted password vault, none of the passwords would allow them to log into any website or app.
Finally, you could go old school and use pen and paper. McAfee doesn’t recommend this, and neither does Uswitch, but others do. Although writing passwords down in ‘plain text’ means anyone can read and use the information, the simple fact that they’re not stored digitally makes them impossible to hack.
Use Bitwarden’s peppering tip on top of that, and this can be a surprisingly secure – and free – way to keep your most important logins safe. Don’t lose the paper on which they’re written though, and you might want to store it in a fire- and water-proof container, such as a safe.
Related articles for further reading
- Best password managers
- Tips for creating memorable, but strong, passwords
- The dangers of using SMS for two-factor authentication
- 95% of Brits can’t reliably detect a phishing scam
Author: Jim Martin, Executive Editor
Jim has been testing and reviewing products for over 20 years. His main beats include VPN services and antivirus. He also covers smart home tech, mesh Wi-Fi and electric bikes.