Being the first Thursday in May, it’s World Password Day again. The whole point of this manufactured day is to raise awareness of the importance of using a unique password for each account you have.
Intel started World Password Day in 2013, apparently inspired by the 2005 book Perfect Passwords. The mere fact that the day still exists means there are still too many people using the same password for everything.
We get it: it's impossible to remember dozens of different passwords and which one you chose for which account, and that's why so many people still use one or a few similar passwords which are a variation on a theme.
Although there alternatives to passwords that websites and apps could use, they’re either too expensive, time consuming or too insecure to use as a replacement. So we are stuck with them as a means of logging in.
Using the same email address and password for lots of websites, from forums to your bank accounts, is seriously risky. One day one of those sites is going to be hacked and your email address and password exposed.
Since hackers know people re-use passwords, they'll try those details to log into banks and other websites until sooner or later they'll find one that works. They could get more of your personal information or even your money.
So the aim of this article is to encourage you to go through your important online accounts and change the password.
Get a password manager
The good news is that there are apps which will remember all the passwords for you. The best password managers will offer to enter your email address and password whenever you see a login screen and if whichever device you’re using has some kind of biometric authentication - such as a fingerprint reader or face ID - then you can use that to prove that it’s you and grant permission for the password manager to retrieve the details and enter them.
So, you don’t even have to open the app, look up the login and then copy and paste the details. It all happens automatically.
- If you're looking for a great, free password manager then try Bitwarden.
Some of password managers, including LastPass, have a feature which can automatically log into an account and replace the old, weak password with a new, strong one.
They can also generate strong passwords for you.
You might already use the password manager built into your web browser or phone (such as Apple Keychain). That’s a good start, but it’s most convenient to use a password manager which works on all your devices because this way you’ll have your logins at your fingertips even if you move, say, from an iPhone to Android.
If you do only one thing after reading this, then make sure it’s to install a password manager. Here’s our guide which explains how to use a password manager.
Turn on two-factor authentication
Banks already use '2FA' to keep your money safe, but a lot of other services and websites now offer it and you should use it wherever you can.
It’s less convenient but a whole lot more secure than a password alone.
You still enter your email address / username and password but after that a separate code is sent to you by email or SMS and you have to enter this unique code to gain access to your account.
So, even if someone has got hold of your password, unless they also have access to your phone or email account, they still can’t do anything with it.
You can use 2FA on your Google, Apple, Nest, Facebook, Instagram, Twitter, Microsoft, Dropbox, LinkedIn, Snapchat and Yahoo accounts, among others.
Strong, complex passwords are great, but they’re only great if the service you use them with is secure and stores your details - including password - in an encrypted format. That’s why two-factor authentication is the best way, currently, to secure your accounts.
Expert tips for keeping your passwords safe
More than ever before, it's crucial to make sure no-one can steal your passwords. Here's what the experts say about protecting them and ensuring they can't fall into the wrong hands.
Raj Samani, Chief Scientist and McAfee Fellow says, "Passwords which include personal information, such as your name, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online, making it easier for online criminals to make guesses about your password.
You should also never share a password, even with a close relative. While this may seem harmless, sharing these details could result in critical personal information falling into the wrong hands. In fact, McAfee recommends changing your passwords about every three months at a minimum. This is so that if a password has been shared or compromised, the safety of your online information has a higher chance of being kept safe by making this change."
Hidden24's Fredrik Bernsel recommends keeping your passwords stored locally and not in the cloud. "I keep my logins in a password manager on my computer's hard drive, which is encrypted. I don't use any syncing capability to avoid all my passwords being stored in the cloud, which adds unnecessary risk."
"It's fine to allow your web browser to store those logins for websites but, again, only if they're still stored on your hard drive and not in the cloud. I'd also recommend using the longest passwords you can: 32 characters is best as the longer they are, the harder they are to crack."
Security and convenience don't always go hand in hand, but it's worth trading off some convenience for extra security. Even if you only use some of these tips for your highest-risk accounts - such as your bank - it's worth it.
Bitwarden is one of the only password managers which offers a self-hosting option for those - like Fredrik - who don't want their logins stored in the cloud. The company also had some other top tips to offer:
- Not every piece of login information needs to go in the password manager
- Two-factor authentication information could be kept outside of the password manager
- Consider "peppering" a password kept in the password manager with extra characters that only the user knows. After populating the password with the password manager, manually add this "pepper"
For example, you could have a system where your passwords end in !Pwd, but you don't include that part when you store the password in your password manager. Then, even if in the very unlikely event that someone managed to hack your encrypted password vault, none of the passwords would allow them to log into any website or app.
Finally, you could go old school and use pen and paper. McAfee doesn't recommend this, but others do. Although writing them down in 'plain text' means anyone can read and use the information, the simple fact that it's not stored digitally makes it impossible to hack. Use Bitwarden's peppering tip on top of that, and it's a surprisingly secure - and free - way to keep your most important logins safe. Don't lose the paper on which they're written though, and you might want to store it in a fire- and water-proof container!