Today we celebrate World Password Day, an annual event that takes place around the world on the first Thursday of every May and serves to raise awareness for the importance of strong passwords and best practices for online account security.

With so many websites and services that we sign into every day, from email and shopping sites to workplaces and social media, coming up with good passwords for each and every one of those can seem like climbing a mountain, especially as expert thinking on best practice is constantly evolving.

To help you chose and keep your passwords safely, here are some tips that will help you overcome your creative writer’s block when trying to concoct these ciphers.

You should have a different password for each site you log in to

When we say unique, we mean unique. We’ve seen suggestions that you use a base password and then tweak it for each site you log in to, but that’s now considered a really bad idea: once an attacker gets hold of your base password, they would quickly work out your system for other sites and all of them could be hacked.

A passphrase is better than a password

Even if the website encrypts your password, single words found in the dictionary can be easily cracked. Hackers use “rainbow tables”, which are lists of the hash, or encrypted version, of the most commonly used passwords.

Instead of using just one word as your password, use a phrase instead. However, don’t pick a quote that everyone knows because that’s just as easily guessed, and don’t base a passphrase on personal information that others could easily work out. So if your partner’s name is Alex and his birthday is in August, a bad passphrase would be “Alex was born in August”. Pick something random that only you know: a good passphrase might be “Golf clubs and ice cold rice”. It doesn’t even have to be a phrase that makes sense: three random words such as “cane radio squirrel” is a decent passphrase.

Don’t use personal information as passwords

We touched on this in the previous point: anything that someone knows about you or could guess about you isn’t a good password. So don’t use:

  • Your pet’s name
  • Your partner’s name
  • Your middle name
  • Your child’s name
  • Your hometown
  • Your place of birth
  • Your mother’s maiden name
  • Your maiden name

You get the drift. Also, be careful about inadvertently revealing personal details via social media: Facebook is full of quizzes that get you to share this kind of data. Doing them might seem harmless, but the risks are real.

Special characters

Many websites insist that you use special characters – numbers, capital letters and symbols – in your passwords, so it’s tempting to replace letters of the alphabet with numbers and symbols that look similar so that “password” becomes “p@$$w0rd”. But don’t do this. Hackers know that trick too. If a website insists that you use special characters, insert them into your passphrase. To use the example we picked before, you could turn “cane radio squirrel” into “&cane+Radio!squirrel*”.

Pick long passwords

Many websites have a minimum character count for passwords anyway, but the longer the password you choose, the harder it is for a hacker to crack. Again, a passphrase is better than a single password.

Don’t let your browser store your passwords

Most browsers will offer to store your passwords for you, autofilling forms when you need them. It’s tempting to let them do that – remembering a lot of passwords is hard. But malware can sneak on to your computer and steal the passwords you have stored in your browser, handing over your credentials to hackers. This isn’t a theoretical risk: it has happened more than once, with the most recent flaws being discovered by security researchers as recently as January 2018.

Don’t write down your passwords

It’s tempting to write a list of your passwords and refer to that rather than relying on your memory. That said, writing down and keeping secure a list of unique, strong passwords is better than using the same easy-to-crack password on all your websites. We’d strongly recommend that you don’t do this, but if you must, then don’t leave that list lying on your desk: lock it in a safe or in a secure drawer. You might live alone, or think you can trust the people you live with, but you might be burgled, and an intruder could not only steal your laptop, they could also get away with your precious passwords, too.

Use a password manager

How best to store a long list of complex passwords, especially if your memory isn’t quite what it should be? The answer is a password manager. Password managers are programs that look after your passwords for you, and in most cases will also generate strong unguessable passwords and then make sure they’re associated with the right websites. There are several to choose from, but they all do more or less the same thing, i.e. create an encrypted vault that stores all your passwords, generates passwords and in most cases will fill in passwords on websites for you. We use LastPass, but there are others such as Dashlane, RoboForm and KeePass. Most of these have a free and a paid-for option, and most will have apps and browser extensions so that you can use them on all your devices – your laptop, your mobile, your tablet or your Chromebook. 

Two-factor authentication

One of the best steps you can take to protect your accounts from hacking is to use two-factor authentication, also known as 2FA. Most websites offer it nowadays, though you might have to dig around in your account settings to find it. 2FA means that if someone tries to log in from a device or an IP address you haven’t approved, it will stop and send you an SMS to your mobile phone with a one-time code you need to type in before it will authenticate you. This means if it’s you logging in from a new computer, you’ll be able to type in the code and complete your log-in, but a hacker of course doesn’t have your mobile and won’t be able to finish logging in – and thus won’t be able to access your account. You can also get devices such as a Yubikey rather than use your mobile phone, and apps such as Google Authenticator and Okta Verify can be used on devices other than your mobile to do 2FA. The thinking here is that while getting an SMS on your mobile phone is a good, convenient way of confirming a log-in, if your phone is stolen you would be unable to verify any new sign-ins, and, worse, the thief would be able to receive log-in codes meant for you.

Biometric authentication

More and more devices come with biometric capabilities, meaning you can use a fingerprint, a face scan or an iris scan to log in instead of a password or a Pin. Biometrics is a good, quick, low-friction way to log in to your phone or other device, and you can increasingly use your fingerprint or other method to log in to websites and services, too.

Risk management

No method of authentication is perfect – they all carry risks. Passwords can be guessed, password managers can be hacked, 2FA can be bypassed and biometrics can be spoofed. But looking after passwords and our online accounts is about making sure we take the steps most appropriate to our individual cases. 

Don’t change passwords for the sake of it

If you’ve got a strong password you haven’t used anywhere else, it will protect your account for a long time. 

Checking if your password has been compromised

With so many data breaches having happened, it’s perhaps inevitable that one of your accounts will at some point have been compromised. 

Go to https://haveibeenpwned.com, which is a public service website created and maintained by one of the most respected names in the security industry, Troy Hunt. It’s safe to put your email address into the web form, and it will tell you if an account associated with that email address has been compromised in any of the breaches it’s got data on – and it’s got data on most of them.

Don’t panic if you do find that your account has been breached somewhere, but if so, make sure you’ve changed the password for that account, and that you’re not using that password anywhere else.

Happy World Password Day!