A recent survey carried out by Uswitch in the UK revealed some fairly shocking findings about peoples’ password habits.
You’d think, in 2022, that everyone would know they shouldn’t use their dog’s name and year of birth in a password but, apparently not. Almost 40% (of the 2000 UK adults surveyed) admitted to incorporating their pet’s name as part of their password and 30% include the year they were born. A staggering fifth of men still use ‘password’ in their password.
What’s less surprising is that 48% use the same password for multiple accounts. Combine that fact with the easy-to-guess passwords used and it’s a recipe for disaster. If a hacker manages to gain access to one of their accounts, chances are they’ll be able to use the very same details to log into other websites, and social media accounts.
I get it: it's impossible to remember different passwords for every account and which one goes with which account. It’s far easier to use one (or maybe two or three) passwords and use them for everything.
The survey result that did surprise me was that around three-quarters of people polled changed their passwords regularly, which is a good habit to have. The longer you leave passwords the same, the more chance there is that they’ll be hacked from one website or another and sold on the dark web. Indeed, over 20% of respondents said their passwords have been hacked at least once.
Get a password manager
Though I disagree with Uswitch that it’s a terrible idea to write passwords down on paper (it can be a safe option if you keep that paper secure), a password manager is arguably more convenient.
They’ll securely store all your passwords and usernames and – this is surely the key reason to use one – automatically fill in those details whenever you see a login screen.
Password managers keep your logins safe by using a ‘master password’. That’s the only one you ever have to remember. But if your phone, laptop or tablet has some kind of biometric authentication - such as a fingerprint reader or face recognition - then you don’t even have to type in that master password.
Some password managers, including LastPass, have a feature where they can automatically log into an account and change the old, weak password with a new, strong one.
They can also generate strong passwords for you, and some can also dream up unique usernames that don’t contain your real name.
You might already use the password manager built into your web browser or phone (such as Google Chrome or Apple Keychain). That’s a good start, but it’s most convenient to use a password manager which works on all your devices. This way you’ll have your logins at your fingertips even if you don’t use Chrome or Apple products exclusively.
If you do only one thing after reading this, then make sure it’s to install a password manager. Here’s our guide which explains how to use a password manager.
Turn on two-factor authentication
The other useful thing you can do in addition to using a password manager is to enable two-step verification on every account and service that supports it.
Banks already use this system to keep your money safe, but you’ll find you can also use it with some email accounts, home security systems and other services.
Honestly, using 2FA is less convenient but it’s a whole lot more secure than a password alone. Even if someone gets hold of your password, they won’t be able to enter the second piece of security information, unless they also have access to your phone or email account which is unlikely.
Often, that second ‘factor’ is a numeric code sent to you by email or SMS and you type it in after your normal email address and password combo.
A few well-known companies that offer two-factor authentication include Google, Apple, Nest, Facebook, Instagram, Twitter, Microsoft, Dropbox, LinkedIn, Snapchat and Yahoo accounts, among others.
Strong, complex passwords are great, but they’re only great if the service you use them with is secure and stores your details - including password - in an encrypted format. That’s why two-factor authentication is the best way, currently, to keep your accounts really secure.
Expert tips for keeping passwords safe
More than ever before, it's crucial to make sure no-one can steal your passwords. Here's what the experts say about protecting them and ensuring they can't fall into the wrong hands.
Raj Samani, Chief Scientist and McAfee Fellow says, "Passwords which include personal information, such as your name, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online, making it easier for online criminals to make guesses about your password.
You should also never share a password, even with a close relative. While this may seem harmless, sharing these details could result in critical personal information falling into the wrong hands. In fact, McAfee recommends changing your passwords about every three months at a minimum. This is so that if a password has been shared or compromised, the safety of your online information has a higher chance of being kept safe by making this change."
Hidden24's Fredrik Bernsel recommends keeping your passwords stored locally and not in the cloud. "I keep my logins in a password manager on my computer's hard drive, which is encrypted. I don't use any syncing capability to avoid all my passwords being stored in the cloud, which adds unnecessary risk."
"It's fine to allow your web browser to store those logins for websites but, again, only if they're still stored on your hard drive and not in the cloud. I'd also recommend using the longest passwords you can: 32 characters is best as the longer they are, the harder they are to crack."
Security and convenience don't always go hand in hand, but it's worth trading off some convenience for extra security. Even if you only use some of these tips for your highest-risk accounts - such as your bank - it's worth it.
Bitwarden is one of the only password managers which offers a self-hosting option for those - like Fredrik - who don't want their logins stored in the cloud. The company also had some other top tips to offer:
- Not every piece of login information needs to go in the password manager
- Two-factor authentication information could be kept outside of the password manager
- Consider "peppering" a password kept in the password manager with extra characters that only the user knows. After populating the password with the password manager, manually add this "pepper"
For example, you could have a system where your passwords end in !Pwd, but you don't include that part when you store the password in your password manager. Then, even if in the very unlikely event that someone managed to hack your encrypted password vault, none of the passwords would allow them to log into any website or app.
Finally, you could go old school and use pen and paper. McAfee doesn't recommend this, and neither does Uswitch, but others do. Although writing passwords down in 'plain text' means anyone can read and use the information, the simple fact that they're not stored digitally makes them impossible to hack.
Use Bitwarden's peppering tip on top of that, and this can be a surprisingly secure - and free - way to keep your most important logins safe. Don't lose the paper on which they're written though, and you might want to store it in a fire- and water-proof container, such as a safe.