02 Dec 2021
Simple steps for using passwords securely online
It’s best to create unique, hard-to-guess passwords for all our online accounts. However, we understand that creating and remembering all your passwords can be challenging. In this article, we’ll take you through our recommendations for effective password management.
Common password pitfalls
We often default to using predictable patterns, such as using a zero in place of an ‘o’, or adding an exclamation mark to meet complexity criteria. Attackers also know that we’re prone to using information they can find on social media to create passwords, such as your pet’s name. They use these patterns and information to optimise their attacks.
Another common pitfall is reusing passwords across multiple accounts. This is particularly dangerous as it means that if a criminal manages to get one of your passwords, they could gain access to multiple accounts.
What makes a strong password?
Using three random words is an ideal way to create strong passwords that are unique and easy to remember. The National Cyber Security Centre (NCSC) suggests these main reasons for using this approach:
Length - Passwords made from multiple words will be longer and meet minimum length requirements
Novelty - The unpredictability of this method makes it very difficult for hackers to guess
Usability - It’s easier to remember a three random word password than one which contains a complex range of characters
For more about the NCSC’s password suggestions, and other top security tips, visit the NCSC website.
But what if I need to meet password criteria?
We recognise that whilst using the ‘three random words’ approach, your password might not meet required criteria for creating passwords on some accounts (such as numbers or special characters). You can still add numbers and symbols if needed, for example: 3redhousemonkeys?27
How am I supposed to remember all my different passwords? – Password managers
Password managers are a great way to help keep your accounts secure. They allow you to have strong, different passwords for each account, whilst only needing to remember one password yourself.
What is a password manager and why use one?
A password manager is an application on your device that securely stores your passwords, so you don’t need to remember them all. You can access any of the stored passwords with a ‘master password’ that you set. They can be stand-alone applications or built into a browser.
Password managers are designed to make using, generating, and storing passwords easier and more secure. Many password managers can also automatically enter the appropriate password into websites and apps on your behalf, so you don’t have to type them in every time you log in.
How does a password manager work?
A password manager acts as an encrypted ‘safe’ that stores all your passwords. You will have one ‘master password’ that lets you access that safe, make changes to your passwords and add new ones.
Some password managers can generate passwords for you, making it much easier to have a different password for each of your accounts, avoiding the common pitfall of reusing passwords. The passwords these managers generate are even stronger than passwords we create ourselves, as they contain random strings of characters that we wouldn’t be able to easily remember on our own.
How do I protect my password manager?
As your manager will contain all your passwords, it’s important to make sure it’s secure. You’ll also need to ensure that you’re always able to get into your password manager yourself, so you don’t risk losing access to your passwords.
Protecting your password manager is easier than you might think. Here are some steps you can take:
- Set up two-factor authentication. For example, a biometric scan or a one-time response code. If you have the option, set up more than one method so you have a backup for getting into your manager
- Make sure that you install updates for your password manager when prompted to. If you’re using a manager that’s built into your browser, make sure you’re using the most up to date version of the browser
- Choose a strong ‘master password’ for your password manager using the ‘three random words’ approach. You can’t store your ‘master password’ in the manager itself, so it’s important that it’s both secure and memorable. Don’t store your master password on any devices
If you’re using a password manager built into Safari or Google Chrome, it will already be protected by your existing AppleID or Google Account. Your existing password for these accounts will act as your master password for the in-built manager, so it’s important to make sure you set this password in line with the guidance above.
How does two-factor authentication work?
Two factor authentication requires you to enter additional information beyond just your password to verify that it’s really you. This means even if a criminal manages to access your password, they may still be unable to access your account.
Examples of two-factor authentication include biometric scans (like facial recognition when unlocking phones), and one-time passcodes, normally sent via text message or generated by an authenticator app.
When you log in to an account with two factor authentication active, you’ll be prompted to enter your account password and then complete the second authentication. You can turn two factor authentication on from within the settings of your password manager.
We hope you found this useful. Please do share this information, as the more people use stronger, more effective password management, the safer they’ll be. Collectively we can beat the fraudsters!
You can visit our security centre or join a free webinar to find out about common threats and scams. You can also explore the advice and resources of our security partner, the National Cyber Security Centre.