With so many websites and services that we sign into every day, from email and shopping sites to workplaces and social media, coming up with good passwords for each and every one of those can seem like climbing a mountain, especially as expert thinking on best practice is constantly evolving.
So we’ve rounded up some of the latest thinking on passwords and authentication to bring you the most up-to-date advice.
Use unique passwords for every account
When we say unique, we mean unique. We’ve seen suggestions that you use a base password and then tweak it for each site you log in to, but that’s now considered a really bad idea: once an attacker gets hold of your base password, they would quickly work out your system for other sites and all of them could be hacked.
So to recap: you should have a different password for each and every site you log in to.
A passphrase is better than a password
Even if the website encrypts your password, single words found in the dictionary can be easily cracked. Hackers use “rainbow tables”, which are lists of the hash, or encrypted version, of the most commonly used passwords.
Instead of using just one word as your password, use a phrase instead. However, don’t pick a quote that everyone knows because that’s just as easily guessed, and don’t base a passphrase on personal information that others could easily work out.
So if your partner’s name is John and his birthday is in August, a bad passphrase would be “John was born in August”. Pick something random that only you know: a good passphrase might be “Blue dogs walk backwards”.
It doesn’t even have to be a phrase that makes sense: three random words such as “umbrella cable kitten” is a decent passphrase.
Don’t use personal information as passwords
We touched on this in the previous point: anything that someone knows about you or could guess about you isn’t a good password.
So don’t use:
- Your pet’s name
- Your partner’s name
- Your middle name
- Your child’s name
- Your hometown
- Your place of birth
- Your mother’s maiden name
- Your maiden name
- Your favourite sport
- Your favourite team’s name
- Your favourite athlete’s name
- Your favourite holiday destination
- Your honeymoon destination
You get the drift. Also, be careful about inadvertently revealing personal details via social media: Facebook is full of quizzes that get you to share this kind of data. Doing them might seem harmless, but the risks are real.
Special characters
Many websites insist that you use special characters – numbers, capital letters and symbols – in your passwords, so it’s tempting to replace letters of the alphabet with numbers and symbols that look similar so that “password” becomes “p@$$w0rd”.
But don’t do this. Hackers know that trick too.
If a website insists that you use special characters, insert them into your passphrase. To use the example we picked before, you could turn “umbrella cable kitten” into “&umbrella+Cable!kitten*”.
Pick long passwords
Many websites have a minimum character count for passwords anyway, but the longer the password you choose, the harder it is for a hacker to crack. Again, a passphrase is better than a single password.
Don’t let your browser store your passwords
Most browsers will offer to store your passwords for you, autofilling forms when you need them. It’s tempting to let them do that – remembering a lot of passwords is hard.
But malware can sneak on to your computer and steal the passwords you have stored in your browser, handing over your credentials to hackers. This isn’t a theoretical risk: it has happened more than once, with the most recent flaws being discovered by security researchers as recently as January 2018.
Don’t write down your passwords
It’s tempting to write a list of your passwords and refer to that rather than relying on your memory.
That said, writing down and keeping secure a list of unique, strong passwords is better than using the same easy-to-crack password on all your websites. We’d strongly recommend that you don’t do this, but if you must, then don’t leave that list lying on your desk: lock it in a safe or in a secure drawer. You might live alone, or think you can trust the people you live with, but you might be burgled, and an intruder could not only steal your laptop, they could also get away with your precious passwords, too.
Use a password manager
How best to store a long list of complex passwords, especially if your memory isn’t quite what it should be? The answer is a password manager.
Password managers are programs that look after your passwords for you, and in most cases will also generate strong unguessable passwords and then make sure they’re associated with the right websites.
There are several to choose from, but they all do more or less the same thing, ie create an encrypted vault that stores all your passwords, generates passwords and in most cases will fill in passwords on websites for you.
We haven’t done a thorough test of password managers here at Which?, but many of us on the Computing and Helpdesk team use LastPass. Do check out other alternatives such as Dashlane, RoboForm and KeePass. Most of these have a free and a paid-for option, and most will have apps and browser extensions so that you can use them on all your devices – your laptop, your mobile, your tablet or your Chromebook.
Other password security tips
Two-factor authentication
One of the best steps you can take to protect your accounts from hacking is to use two-factor authentication, also known as 2FA.
Most websites offer it nowadays, though you might have to dig around in your account settings to find it.
2FA means that if someone tries to log in from a device or an IP address you haven’t approved, it will stop and send you an SMS to your mobile phone with a one-time code you need to type in before it will authenticate you. This means if it’s you logging in from a new computer, you’ll be able to type in the code and complete your log-in, but a hacker of course doesn’t have your mobile and won’t be able to finish logging in – and thus won’t be able to access your account.
You can also get devices such as a Yubikey rather than use your mobile phone, and apps such as Google Authenticator and Okta Verify can be used on devices other than your mobile to do 2FA.
The thinking here is that while getting an SMS on your mobile phone is a good, convenient way of confirming a log-in, if your phone is stolen you would be unable to verify any new sign-ins, and, worse, the thief would be able to receive log-in codes meant for you.
Biometric authentication
More and more devices come with biometric capabilities, meaning you can use a fingerprint, a face scan or an iris scan to log in instead of a password or a Pin.
Biometrics is a good, quick, low-friction way to log in to your phone or other device, and you can increasingly use your fingerprint or other method to log in to websites and services, too.
Risk management
No method of authentication is perfect – they all carry risks. Passwords can be guessed, password managers can be hacked, 2FA can be bypassed and biometrics can be spoofed.
But looking after passwords and our online accounts is about making sure we take the steps most appropriate to our individual cases. Most authentication methods are plenty good enough for everyday use by ordinary people: it’s better to have 2FA sending SMSs to your phone than not to have it turned on at all, for example.
Changing passwords
It used to be the case that you were urged to change your passwords regularly, and many organisations still enforce regular password changes.
However, current thinking is that this isn’t the good idea we used to think it is. The National Cyber Security Centre (NCSC) now explicitly recommends that you don’t change passwords unless you have to because your password has been stolen.
That’s because we’ve learned since that advice was first published that humans don’t like having to come up with new ones, and tend to recycle previous passwords, which, as we’ve seen, isn’t a good idea.
So don’t change passwords for the sake of it: if you’ve got a strong password you haven’t used anywhere else, it will protect your account for a long time.
Checking if your password has been compromised
With so many data breaches having happened, it’s perhaps inevitable that one of your accounts will at some point have been compromised. If you’ve got an account with Adobe, Yahoo!, Equifax, TalkTalk or many other big organisations, there’s a good chance your account details were caught up in it.
If your account is part of a breach, the organisation should let you know, but to be on the safe side, you can check for yourself. Go to https://haveibeenpwned.com, which is a public service website created and maintained by one of the most respected names in the security industry, Troy Hunt. It’s safe to put your email address into the web form, and it will tell you if an account associated with that email address has been compromised in any of the breaches it’s got data on – and it’s got data on most of them.
Don’t panic if you do find that your account has been breached somewhere, but if so, make sure you’ve changed the password for that account, and that you’re not using that password anywhere else.
Make sure your contact details are up to date
One useful task is to make sure that you’re not using an old email address or phone number with an online account, so if you need to reset your password the link to do that is sent to the right inbox, not an old one you no longer have access to.
In conclusion …
All this sounds like a lot to take in, but in summary, the main things to remember are:
- Use unique passwords for every website
- Don’t re-use passwords
- A passphrase is better than a single password
- Don’t use personal information as a password
- Use a password manager
- Use 2FA everywhere
- Don’t change passwords regularly