Guide to Password Security
Security breaches are increasingly common — but for many people, password policy is not a serious concern.
This lax approach to data protection is a big problem. Bad password habits can leave people vulnerable to the loss of credit card details and other personal information.
In this article, we’ll explore:
- Common bad habits to avoid
- How to enhance online security by using a password manager
- How to choose a strong but memorable master password
Bad password management habits
There are many easily-avoidable practices that make life easier for cybercriminals. Here are some common password policy problems.
Using weak passwords
Research from the National Cybersecurity Centre (NCSC) shows that millions of people are still using simple passwords, such as “123456” or “password123.”
Here are some common types of bad passwords.
- A convenient sequence of keys. According to Use a Passphrase, the password 12345qwerty would take 1 millisecond to guess using common password-cracking software. zxcvb7890 would take 53 seconds.
- A single word. Password crackers can cycle through the dictionary in a matter of seconds, meaning single dictionary words are not a safe option. However, multiple words, used in a passphrase, can make a robust password.
- A common word or phrase with numbers substituting letters. For example, whereas newyorknicks takes 1 minute to crack, n3wy0rkn1cks takes 4 minutes — better, but still not tough enough.
- A zip code, postcode, or date of birth. Cracking tools can easily guess common number patterns. 98109 takes 2 seconds, SW1A0AA takes 2 hours, 01/06/1985 takes just 8 seconds.
Researchers have published a list of the 100,000 most-breached passwords. It’s worth checking this list to ensure your passwords aren’t included.
It’s crucial to use unique passwords for each account — don’t reuse passwords.
Password reuse is a very bad habit. If a person chooses the same password to log into Google, Linkedin, Amazon, etc., they will be especially vulnerable in the event of a data breach.
Once a cybercriminal cracks a password for one account, they can try the same username and password combination on other online services. This makes it easier to break into high-security online services such as banking and payment platforms.
This is why reusing the same password across multiple online accounts is so risky.
Writing down passwords
Don’t write down passwords. This can easily lead to loss or theft. Passwords must be stored securely.
There are two main ways to securely store passwords:
- Locally — Physically storing passwords on a computer, USB key, or another device. This is only recommended where the device can be kept completely safe.
- Remotely — Remotely storing passwords “in the cloud.” Cloud storage services can be hacked, so it’s important to only use a high-security service such as a password manager.
Failing to protect against malware and cybercrime
Cybercriminals can use several techniques to gain access to passwords. For example:
- Keyloggers — A type of spyware that records keystrokes on a device. Keylogger software can detect everything a user types on their computer, including passwords.
- Man-in-the-middle attacks — A hacking technique that exploits public Wi-Fi networks. A hacker can intercept a person’s password data as they log into online accounts.
- Phishing — A scam involving fake websites and social media accounts. For example, cybercriminals have created fake online banking websites designed to trick people into entering their account details.
It’s possible to defend against such threats by:
- Installing antivirus software
- Using a Virtual Private Network (VPN) on public Wi-Fi networks
- Keeping software and operating systems up-to-date
- Using a password manager
A password manager is an application that can generate strong passwords, store them securely, and (usually) autofill online forms.
Maintaining a good level of password security is much easier with a password manager.
How do password managers work?
Most password managers work like this:
- The user downloads a password manager application, and often an accompanying browser extension
- The user creates a “master password” used to log into the password manager. This is the only password they’ll need to remember once their password manager is set up
- During setup, the user can import existing passwords from a browser or anywhere else they’re stored
- The password manager can generate unique, secure passwords for each of the user’s accounts
- The passwords are stored in encrypted storage
- A browser extension can autofill the user’s passwords whenever they wish to log in to an online account
Many password managers optionally allow two-factor authentication (or multi-factor authentication) for an extra layer of security.
To log into a password manager using two-factor authentication, a user must present something they know (their master password) and something they have (i.e., a mobile device). For example, they might be sent a verification code via text message.
What are the benefits of using a password manager?
Using a password manager has the following cybersecurity benefits:
- They generate strong passwords
- They store passwords in highly-encrypted storage (usually industry-standard 256-AES)
- They provide each of a user’s accounts with a unique password
- They allow for two-factor authentication
- They reduce the threat posed by keyloggers
The password manager industry has grown substantially in recent years, and there are now over 50 different password managers to choose from. Many top brands provide bonus features, such as secure cloud storage, to attract users.
What are the risks of using a password manager?
Generally speaking, a password manager is the most secure way to store and retrieve passwords. However, handing over sensitive personal information to a third party always has some risks attached.
There have been some security vulnerabilities exposed among password managers. Most notable was a 2015 hack of LastPass which resulted in some users’ email addresses and certain authentication data being compromised.
No major password manager has reported an incident in which hackers gained access to their users’ passwords. However, some people prefer to keep total control over their passwords by only storing them locally (e.g., on their computer).
Certain password managers, such as KeePass and Bitwarden, allow local password storage. This can make it more difficult to sync and back up passwords. However, for the most security-conscious people, it’s worth the inconvenience.
What’s the best password manager?
Password managers vary in terms of their cost, user-friendliness, and extra features. Here’s a run-down of some of the most popular password manager brands.
KeePass is an open-source password manager that has developed a large and loyal following since its first release in 2003.
There are several reasons why many people love KeePass:
- It’s completely free
- It stores passwords locally — a user’s passwords need never leave their device
- It’s open-source, so software developers and other technically-minded people can develop and customize it
“Out of the box,” KeePass is quite basic. It doesn’t even include an auto-fill function or browser extension by default. Syncing passwords between devices can be complicated.
However, there are many third-party plugins available for KeePass. These are additional tools that expand KeePass and make it more versatile. KeePass apps for iPhone and Android are also available as third-party software.
Unlike commercial password managers, KeePass is not very user-friendly, and there’s no customer support team to help if things go wrong. Therefore, KeePass is only suitable for people who are confident with technology.
Dashlane offers a very user-friendly experience for paying users and an abundance of free features, including:
- Unlimited access to a Virtual Private Network (VPN)
- 1 GB secure file storage
- Dark Web Monitoring service
Like most commercial password managers, Dashlane operates a “freemium” model — the company offers a stripped-down version of its product for free, then gives users the option to upgrade to an annual subscription.
Unfortunately, the free version of Dashlane is extremely limited. Dashlane’s non-paying users are only able to save up to 50 passwords, and can only use Dashlane on one device.
This means anyone wishing to log into their online accounts on both a phone and a laptop would find Dashlane’s free product virtually unusable.
However, for those willing to pay a subscription, Dashlane is one of the very best password managers available.
LastPass is another popular commercial password manager operating a freemium model.
LastPass’s free version is one of the best free password managers, providing the following features:
- Unlimited password storage
- Use on unlimited devices
- Password auto-fill
- Secure notes storage (simple text notes, such as credit card numbers, etc.)
This means LastPass’s non-paying users can generate and store unlimited passwords across unlimited devices.
Premium users get some bonus features, including 1 GB secure file storage, emergency access, and advanced multi-factor authentication options.
1Password is a popular password manager operated by Canadian company AgileBits.
1Password is not a freemium product — it’s only available to paying subscribers (there’s a 30-day free trial available).
So how does 1Password compete with top-quality freemium password managers? Well, along with offering many of the same features as the rival products, 1Password also has the following benefits:
- It uses a great-looking, easy-to-use interface that many people prefer to other password managers
- It has a highly secure master password login method
- It offers some great features for families
- It provides a “Travel Mode” that allows users to temporarily wipe sensitive data when crossing borders
These factors make 1Password a top-quality product that its users are happy to pay for.
How to choose a strong but memorable password
A password manager will generate new passwords for each of a user’s accounts, using random letters, numbers, and special characters. This means that there’s no need to remember each password — in fact, it would be impossible to do so.
Here’s a random password generated by Dashlane, for example — }fn(\]?,64mJ. Not exactly memorable.
However, there are times when it’s necessary to create a memorable password. For example, when choosing a master password.
In such situations, it’s better to choose something complex but memorable, so as to avoid the need to record it.
Here are some tips for creating a strong but memorable password:
Consider adapting the lyrics of a favorite song. For example, DyKtIhItTgV?1968. This password is adapted from a Marvin Gaye line — “don’t you know that I heard it through the grapevine?”. The suffix is “1968” — the year that song was released.
Choose a passphrase, rather than a password. Check out Use a Passphrase, a tool to generate memorable but tough-to-crack passphrases.
Here’s an example of a memorable passphrase:
- NineHandedWobbleMobile —This passphrase would take roughly 600 years to crack using common password-cracking software.
- NineHandedWobbleMobile(9-5) — This passphrase would take over 5.2 trillion years to crack!
Adding additional words and special characters to a password or phrase may not make it much harder to remember — but it could make it millions of times harder to crack.