You’ll probably need a password for each of your many online accounts. And, since it’s hard to remember lots of different passwords, you might use the same (or similar) passwords for multiple accounts. If you’re doing that you’re asking for trouble: if a hacker gets access to one of your accounts then they’ll be able to access others – with potentially costly consequences! It’s important to take digital security seriously.
How account compromises happen
Online accounts can be compromised in a number of ways:
What can you do?
There is a temptation when setting up online accounts to use a password that you know, one that you can remember, and often one that you’ve used before… don’t do it!
Practice good password management by:
- Not reusing passwords across different sites – if one site gets compromised, password thieves will often try those details across other popular sites to see if you have re-used credentials
- Using strong passwords (see below) – don’t use a short password that’s easy to remember: it’ll be easy to guess! (Or compromised quickly in a brute force attack.)
- Activate two-step verification on services that allow it – this means that to log in you’ll need not only your password but a unique code from an app on your phone; the code is regenerated every 60 seconds, so even if someone else had your password they wouldn’t be able to log in
Create a strong password
Google’s password creation advice suggests you steer clear of using common words or personal information as your password. So avoid password or letmein or similar weak choices. Keyboard or sequential patterns such as qwertyuiop, asdfgh or 1234abcd are just as weak. Microsoft offers the following advice on what you should aim for when creating a password:
- Make sure it is at least eight characters long
- Ensure it doesn’t contain your username, real name or company name
- Ensure it doesn’t contain a complete word
- Make it significantly different from previous passwords
- Include uppercase letters, lowercase letters, numbers and symbols
A password generator can create long, randomised passwords for you to use. Online password generators automatically create a secure, random password. For example LastPass, a password management system, offers a password generator for anyone to use. The use of a password manager itself can also be a convenient way of keeping track of all of these different passwords.
Use a password manager
Password managers store passwords for a variety of websites; many of them can also create strong passwords for you and help ensure that you are using different passwords for different accounts. A number of different services offer this functionality, with perhaps the most well-known being LastPass, 1Password and KeePass.
Password managers work by saving your account passwords and filling in your credentials for you when you want to log in to a website. They are often a good way of balancing convenience and security; additionally, if there is a security breach on a site that holds your data, many password managers will alert you if your password has been compromised and will offer to change it for you (service and platform dependent).
It should be stated that different password managers treat your data in different ways. For example, LastPass and 1Password keep your password data on their own servers – which carries inherent risks in terms of susceptibility to hackers. With a service such as KeePass, on the other hand, your data never leaves your machine. Cloud-based password storage does, however, mean you can install the browser plugin on a number of different machines and sync your passwords instantly between them – some security is exchanged for extra convenience. And just because your data is stored on an internet-connected server doesn’t mean that it’s waiting to be hacked; the LastPass website, for example, offers a lengthy explanation of its security process.
We don’t recommend a particular approach – but we do urge you to read about the different types of service and to consider using a password manager for keeping track of all your different logins.