Its important you take steps to secure your digital world, just like you would in the real physical world.
We recommend that you:
- Create strong passwords
- Use unique passwords for each account
- Get a password manager application to help
- Enable multi-factor authentication where possible
- Ensure your devices are free from malware
Passwords are designed with computers in mind rather than human beings.
Our advice is to let a password manager app do the hard work for you instead - its both easier and generally more secure.
If you prefer to do it the hard way and create your own, we recommend your passwords should be:
- At least 12 characters long - the longer the better
- Unique - not used on other sites
- Combine several unrelated words, word fragments or random character sequences
- Use a mixture of uppercase, lowercase, numbers and symbols.
- Difficult for someone to guess - avoid using personal information like your name, children's names or date of birth for example.
- Avoid common passwords - there are lists of predictable passwords (like "password", "123456", or your favourite football team for example)
- Change your passwords periodically
You could try using a passphrase instead of a password. A pass phrase might take a short saying (but not a common one) that you modify to become a strong password. For example, “Thund3r Sh0wers at Suns£t” would be a very strong password that’s also easy to remember.
- Have I Been Pwned? - An excellent site that determines if any of your existing accounts or passwords have been compromised. Sign up for free notifications in case your details are suddenly found in the wild.
- How Secure Is My Password? - An effective demonstration of just how quickly your password can be guessed by hackers (for the record typing your actual password into another site is generally not a good idea but in this case its safe as your password is only processed locally).
- Popular Passwords - List of the top 1,000 passwords chosen by users. 91% of people have a password on this list, making them very vulnerable indeed.
- LastPass - A password manager that manages your passwords securely for you. The last password you'll ever have to remember.
You wouldn't have a single key to open your front door, your car, your bank and your safe - losing the key could result in the loss of everything at once. The same applies to passwords in the digital world.
Its a sad fact that sites get hacked and their users' information is traded on the web by criminals. At the time of writing, a staggering 1,070,622,134 accounts are known to have been compromised! Cyber criminals know people re-use passwords and exploit this fact. After a popular site is hacked, they’ll try using the leaked email address and passwords to gain access into other sites. More often than not, this strategy works - compromising all of your accounts.
To avoid becoming a victim of this phenomenon you must choose different passwords for each of your online accounts. This limits the damage of any single breach - as the leaked password is only valid on one site - the breached one. Your other accounts remain unaffected.
We appreciate memorising hundreds of unique passwords simply isn't feasible. Some people prefix/append characters to their password relating to each site in question - but this is far from foolproof. Instead, we recommend you use a password manager tool to do it for you...
A password manager stores all of your passwords - think of it as a vault for your passwords. It automatically generates secure passwords for you and types them in for you when logging in - to save you the bother. You simply have to remember one password to sign in to the password manager!
This makes it incredibly easy to use unique, very secure, passwords for every account - without having to remember them all. It can also guard against phishing attacks by validating the site is genuinely the site it claims to be, before submitting your password.
We recommend a password manager called LastPass. We use it internally on our team and shamelessly get a month free if you signup using our link! Of course, other password management tools are available and you should evaluate your own preference.
There are some dangers which you need to consider though. For example if someone gets your master password or hacks the password manager itself - potentially all of your passwords become compromised. Most good password managers have prepared for these eventualities. Many ensure they only work on your registered devices - requiring additional steps from unknown devices/locations. They also design their systems to avoid storing your password at all - the idea being that your master password can't be revealed if they don't store it in the first place. In theory, hackers only get an encrypted set of useless data. You have to evaluate these risks for yourself, but in your writer's humble opinion these risks are much smaller than the alternative risks associated otherwise.
Some sites and password managers also let you add fingerprint, face recognition options and devices you trust — this is called multi-factor authentication, and it offers convenient, powerful protection for your password vault.
Multi-factor authentication (sometimes known as two-factor or 2FA) adds an additional layer of protection to your online accounts. Typically it uses a device, like your phone, as a secondary requirement. The principle being it is unlikely a hacker will gain access to both your phone and your password at the same time.
In the case of your phone, it might generate a code using a special app, it might send you a code by SMS text, or it might ask you to scan your fingerprint on the reader of your phone. You might have even seen this behaviour already if ever downloaded an app from an app store. The app store first checks you’re on a trusted device (factor 1) and then verifies your fingerprint (factor 2).
When logging into websites, a multi-factor enabled site might prompt you for your password initally (factor 1), then ask for a verification code that will be send to your phone (factor 2). These verification codes expire quickly and can only be used once - making them useless to hacker if subsequently exposed.
We recommend you enable multi-factor on all your accounts where possible - particularly high value targets like your email account, your password manager, your bank, remote terminal software, etc.
Its important your computer(s) and devices(s) are kept free from malicious programs - like viruses and malware. Malware can spy on your activities - intercepting passwords or data. It can also try to extort you by holding you to ransom (e.g. by encrypting your files and demanding payment to decrypt them).
Malware infects your computer - typically by exploiting unpatched vulnerabilities in your operating system/software or by convincing users to run/install it themselves. A further danger of malware is that once installed it can operate in a stealth manner (i.e. without obvious signs that you are infected). It can also lay 'dormant' for long periods before deploying its ultimate payload (circumventing weak backup strategies).
We recommend that you:
- Keep your system up to date - install all security updates
- Keep your application software up to date - install app updates for the programs you use - not just the operating system
- Install anti-virus and anti-malware tools - keep them up to date
- Avoid suspicious software (free games, ringtone installers, free codecs, browser extensions, etc can often bundled with malware) - verify the publisher can be trusted before installing.
- Be aware of phishing emails or websites
- Impose a robust backup regime (including offline/read-only backups stored offsite with historic versioning)