How to set strong passwords

It’s never a proud moment when you get to the end of signing up for something, type in a password and receive the unwelcome feedback of ‘weak.’ When this happened for a password that already had an exclamation mark, number and capital letter in it, I wasn’t sure what I was doing wrong. But after a conversation with Simon Waring, Head of Information Security at Starling Bank, I learned that there were several simple steps I could take to make passwords stronger and keep online accounts protected.

Why do strong passwords matter?

The more we live our lives online, the greater the importance of strong passwords. They can protect your identity and your money. If someone can guess your passwords from what you reveal on social media, hack into your email account and put this together with a credit card statement, you could fall victim to fraud.

Between April and September 2018, cybercrime victims in Britain had £34.6 million stolen from accounts, according to Action Fraud, the national scam reporting agency. This marked a 24% rise from the previous six months.

Create a unique password by putting together four random words

“Traditionally, security advice has been around making really complex passwords. But the problem is that no one can remember them and everyone hates having to change them,” says Simon. “Complex password requirements can encourage bad practice - people come up with something that ticks the boxes such as Password123! or they write them down.”

So what’s the alternative? “The new thinking is around taking random dictionary words and stringing them together,” he says. The National Cyber Security Centre recommends three words but Simon’s preference is four words.

For example, you could take a colour, an emotion, an action and an animal to help you choose four words to create a memorable, unique password. It could be something like PurpleHappyDancingElephant (and, if required, a number of your choice and a punctuation mark in order to meet traditional password requirements).

“This approach means that you get the password complexity without the headache of trying to remember a random combination of letters, numbers and punctuation - you can build up a picture in your mind or make associations between words that only you would know about.”

Set multiple unique passwords

Just as we have different keys for our house, car and office, the same should go for passwords. But while we might only have to distinguish between three or four physical keys on a daily basis, remembering dozens of unique passwords and knowing which account links to which password can be overwhelming. Research from the global analytics company FICO found that 7 in 10 people struggle to keep track of their passwords.

As a result, many people use the same password for different accounts. Software-as-a-Service provider LogMeIn surveyed people in the UK, USA, France and Germany and found that 59% of people still use one password for every account they own, even though 91% know that this poses a huge security risk.

The solution? “Use a password manager,” says Simon. Password managers are secure, online platforms that store your passwords in an encrypted form and allow you to access them from laptops, smartphones or tablets that you have verified.

“If you have a password manager, you only need to remember one very secure password - choose something unique and never write it down,” he says. “You can then install a companion browser plugin for your password manager so that, if you’re on a trusted device, the password manager will enter the password for you (assuming you have previously entered your master password). I have 1500 accounts and each one has a different password.”

Password managers can also alert you to data breaches that might compromise one of your accounts. “One method hackers use is to ‘brute force’ an account by trying lots of different passwords on the off-chance that one will be correct,” he says. “To increase their chances of getting the right one, they use lists of known passwords from previous data breaches. If your password matches one that’s been part of a data breach, some password managers will tell you so you can change it. Otherwise, it increases the chances that your account will be compromised.”

The question on my mind was about what happens if your password manager gets hacked. “Good Password Managers store all passwords in an encrypted form, whether on the user’s device or online,” he says. “So even if someone got hold of the stored passwords, they would only ever be in an encrypted form and could only be decrypted by the master password, only known to you and not stored anywhere.”

Enable two-factor authentication for your email account

If you don’t have a password manager and you forget a password, the process to retrieve it or reset it usually involves your email address. That’s why the password for your email account is one of the most important to protect.

Cyber Aware, the cross-government awareness and behaviour change campaign delivered by the Home Office in conjunction with the Department for Digital, Culture, Media and Sport and the National Cyber Security Centre, encourages users to install the latest software or app updates and consider resetting their email account password. If you haven’t already done so, make sure that your email account password is unique from any other password you use.

“Your email address can be the central point of failure for a cyber attack,” says Simon. “Email accounts can hold a lot of information about you - credit card statements, passport scans, names, phone numbers - and they can often be the preferred method for recovering a password for a different account.”

The best way to add an extra layer of security to any online account, especially your email account, is to enable two-factor authentication. This means that a password alone is not enough to access it. You also have to have a token or a smartphone app on your phone that produces a one-time use code that proves you are in possession of that specific device. “It removes the complete reliance on one password - the first factor is something you know, the second factor is something you have,” he says.

Choose password recovery questions only you would know

Resetting a password or accessing an account often involves security questions. “With social media, so many answers to security questions can be found online - your secondary school, university course, sometimes your mother’s maiden name. You need to choose things that only you know, which might mean choosing answers that aren’t necessarily true,” says Simon.

For example, if a required security question is about your first school, you could answer with your favourite school from a book or film if you’re worried that the real answer is available online (you might want to avoid mentioning Hogwarts though - you probably wouldn't be the only one). If you do use false answers, it is a good idea to store them in your password manager so you don’t forget what you actually gave as the answer.

Some websites allow you to choose your own security questions. “This can be a double edged sword - some people will choose really secure ones, others will go for something that’s too simple. Try to think of things that you don’t generally put online,” he says.

This might be something like ‘Who was your first kiss?’ or ‘In which capital city did you leave your favourite scarf behind?’ It’s not always easy coming up with these but it’s worth spending some time on if you want to keep your accounts as secure as possible. “You have to remember that if the password recovery process is easy to subvert, then an attacker is not going to waste time trying to guess your password, no matter how strong it is,” he says.

Keep your software up to date

Other than having strong separate passwords and security questions, an important step for staying safe online is keeping software up to date. “Software updates are generally released for one of two reasons. Either it’s for a new feature, or it’s fixing a bug or security issue. Security vulnerabilities in software are often found and reported by third parties. The vendor then has the opportunity to fix the problem and release an update,” he says.

“Once a software update to address a security vulnerability has been released, hackers can reverse engineer it to work out what the original problem was and target people who haven’t yet made the software update. That means that the longer you take to update your software, the more exposed you are.”

For more information about staying safe online, have a look at Cyber Aware.