UPDATE: Updated in March 2021 to change recommended services after LastPass made changes to their free tier.
This is the first in what I’m hoping will be a series of a few posts focusing on improving your digital security and privacy – it’s something that’s in the news a lot right now and will only grow more important. Hopefully, you’re here because you’re one of those people who wants to know what steps they can take to improve their security online. This post is going to focus on passwords and how you can secure your online accounts step by step to make you safer online. It’s aimed at people who aren’t security experts.
Security isn’t important because I’m not a target
I want to start off by addressing one of the most common misconceptions – that you’re a nobody online and that nobody is trying to attack you, so your security doesn’t really need to be up to much. Unfortunately this isn’t true – a lot of attacks aren’t now performed by a person, but are fully automated – a technique called “credential stuffing”. This is so-called because it involves just taking vast lists of usernames and common passwords scraped or stolen from the internet and trying them in common services to see if they work. If they do, then the details can be sold on to scammers or fraudsters on online marketplaces dedicated to the trade in stolen accounts. Every kind of online account has some value to someone – whilst things like online banking (worth £1000+ on the dark web in 2019) or PayPal (£84) accounts may seem like the obvious ones, email accounts can be just as crucial as they can often enable access to all the rest of a person’s online accounts. If someone got access to your email, how many of your accounts could they then access via the Forgot Password feature of them – or maybe you’re using the same password across all of your online accounts? There is even trade in services like Spotify (£5) or Netflix (£13) accounts that let scammers piggy back on paid-for services. You can read more about how much accounts are worth to the right buyer in 2019 here and in 2020 here to see just how quickly the value is changing. A lot of accounts are now actually cheaper than they were – this is because there are more hacked accounts on the market. Don’t let yours be one of them.
This isn’t me trying to scare you – it’s just a fact of life for internet users and it’s something that it’s important to protect against. The cyber-security industry has a lot of absolutism – proclaiming you can be either secure or not secure. In reality, it’s a sliding scale and to stay safe, you just need to make sure that your online presence is more secure than the next person’s by staying ahead of the curve. I’m going to give you some tips and dispell some myths around password security – and hopefully show you that it doesn’t even need to be difficult to achieve this. You may actually find it makes things easier for you.
If you’re only vaguely interested in improving your security without the detail and the reasoning, here’s a summary of this post for you with specific technology choices made for you:
- Use a password manager to store secure passwords you don’t need to remember. I recommend 1Password. If you don’t want to pay,
LastPass offers a free tier with reduced functionality and in my opinion, less polished features.LastPass used to be my go-to recommendation for free use, but they recently made changes which have really wrecked its main functionality. For a free option, look at BitWarden.
- Use 2 Factor Authentication on all your accounts that offer it, but especially your password manager. Use Authy to manage this for all your accounts.
Read on if you’d like more of an in-depth understanding of why these things matter and how to understand enough about it to make these choices for yourself.
What makes a good password?
It’s common knowledge that to make a secure password you just need to replace some letters with some numbers and sprinkle some special characters in – probably a “!” on the end. Also when you get prompted to update your password, you can just increment the number on the end. Unfortunately, this accepted knowledge that most people have is wrong. A lot of services you have accounts with will enforce requirements like having at least 6 characters, a combination of upper and lower case letters, a number and a symbol. Sound familiar? The problem is that none of this really helps with security – it’s what security professionals refer to as “security theatre” because it gives people the impression that it’s helping when it really isn’t.
The best thing you can do to secure a password is to make it longer. The longer it is, the harder it is for a computer or a person to guess. Subsituting an “a” for a “4” doesn’t cut it any more – the lists of common passwords that criminals or automated tools use are wise to these tricks and they simply don’t help. Complexity requirements just make things harder for you to remember whilst not presenting any barrier to attackers.
The easiest way to come up with a password that’s long and hard to guess is to use a passphrase – four or more words combined together make an extremely long password that probably isn’t going to be in any list of commonly compromised passwords.
Check your current digital hygiene
Security researcher Troy Hunt runs a service called Have I Been Pwned that checks emails or passwords against a vast set of hacked websites and stolen databases to determine if your details have likely been compromised in the past. It’s safe to use as your actual details aren’t sent to the service – merely a representation of them that’s enough to check for a match. It’s a clever system and it’s used by a selection of large companies and governments to alert them to data breaches.
You should have a check of your email address(es) against the Have I Been Pwned service and check any key passwords you use against Pwned Passwords. If you get hits – don’t panic. I’d be surprised if you didn’t get anything to be honest – but seeing the reality can help you to appreciate that security improvements can really make an impact to you.
Introducing password managers
Having a long passphrase is all well and good, but you still need to use a unique password for every online account that you have. This is because if you do find one of your accounts gets compromised, the first thing an attacker will do is try this successful username/password combination against other, higher-value services. You may have confidence in Google keeping your GMail password secure, but if you use the same password as you did for some obscure forum you signed up to as a teenager, then it’s their security you need to be worried about.
Fortunately, there is a technical solution to needing to remember dozens or hundreds of passwords – a set of applications called password managers. Password managers are designed to keep details of all of your accounts stored securely and quickly serve them up to you when you need them via web browser add-ons or mobile apps on your phone. Generally, they will also help to generate passwords for you at sign-up time for a new website or app – the only password better than a long passphrase is a totally random string of characters that’s 30 or even more characters long! With a password manager, you can get to the point where you don’t know any of your account passwords because they’re all completely random. This is about as good as you can get for password security, but using them to store long passphrases for your important accounts is still a big step forward.
Password managers might sound like a big risk – surely keeping all of your passwords in one place is a bad idea? And doesn’t that make them a big juicy target to hackers and criminals? In reality, the most reputable password managers encrypt your data on your device so that all they store is a useless jumble of 0s and 1s – someone who managed to breach a password manager’s servers would find mostly a collection of unusable junk. We’ll talk a bit more later about securing a password manager, but if you’re not yet sold, consider the straightforward advice of the UK’s National Cyber Security Centre who are a big fan of password managers. Consider also more technical advice from Wired.
Overall, using password managers is in my opinion a net positive. There are quite a few benefits:
- The NCSC says they reduce “security friction” which is a phrase I like – they make things more secure for you whilst actually making it easier to have lots of passwords.
- Because they can autofill passwords into sites for you, they make it harder for you to be accidentally phished (when someone presents a convincing, fake login page for a site to you in an attempt to harvest your credentials). The difference between annazon.co.uk and amazon.co.uk may be tricky for you to spot if you’re not concentrating, but it’s trivial for the computer.
- If you have a family or a partner, they make it really easy to securely share accounts for common services, like insurance or groceries. They can help your resilience by making it easy to access important, shared accounts if something was to happen to the person who usually manages them.
- Most password managers also let you store some non-password data securely in them, like insurance documents.
Choosing a password manager
Assuming you’re now convinced by the benefits of a password manager, how do you go about choosing the one that’s right for you? It’s an important decision to make and I’d suggest you consider opting for a paid-for product. They’re generally relatively inexpensive and you don’t want to be using a password manager that is trying to monetise your information. You also want to steer clear of password managers integrated into other products – like your antivirus or your web browser, because these are often after-thoughts to the main product that might not have as good security or support, and may tie you into that product for longer than you’d like to use it for.
My personal recommendation is 1Password – I’ve used a lot of different password managers for both personal and enterprise use and 1Password is the easiest to use and most feature-rich of them all. If you’d like to shop around a bit more, use in-depth comparisons from legitimate sources like NY Times’ Wirecutter or Wired to see what the market looks like. Most offer a family plan that’s heavily discounted compared to buying individual accounts in a couple or larger family.
Obviously, not everyone will be able to (or want to) pay for a password manager. I am convinced it’s an investment in your online security, but for those who are looking for a free option, consider BitWarden.
Finally, 1Password actually integrates with the Have I Been Pwned service that I mentioned earlier to alert you if it finds any of your account information in compromised services which is a really nice touch that adds a lot of value.
One common feature regardless of the password manager that you choose is the notion of a master password. This is the password used to unlock your password manager and is often used as part of the process for encrypting and decrypting all of your data to keep it secure. It is the single most important password you will end up having and it is essential that you remember it – because of how most password managers operate for security reasons, if you forget it you won’t be able to recover any of your account information or passwords, and that would be Unfortunate. Come up with a strong (long) passphrase that uses at least four words, and remember it. Seriously, don’t forget it.
2 Factor Authentication
Finally, the cherry on top for password manager security is 2 factor authentication. This might sound very technical, but if you’ve ever logged into a service where you’ve been sent a text with a code in it to enter after your password, you’ve already used it. The idea of 2 factor authentication (also called 2FA or MFA for Multi Factor Authentication) is that to login to a service you must present 2 pieces of identification – something you know (the password) and something you have (normally a code that changes frequently). This makes it much harder for an attacker to breach one of your accounts because suddenly they need both your password and also your phone to be able to successfully access the account. After a password manager, 2FA is the next most impactful step you can take for securing your accounts and using both together puts you in a more secure place than probably 99% of the population. You should use 2FA wherever it’s offered, but especially on your password manager because its security is so important.
Some password managers offer 2FA capabilities inside the apps themselves – steer clear of these. If you use your password manager for storing both passwords and 2FA codes, a compromise of your password manager gives access to everything and defeats the purpose of using 2FA!
There are three main kinds of 2FA, listed below in increasing order of security. You’ll find that services won’t normally offer all three, and it’s a good indication of how modern their approach to security is.
- SMS 2FA – literally just having the service text you a code that you enter. This is better than nothing, but there are better options. SMS isn’t as secure as people think it is, and if you don’t have phone signal when you need a code you’re out of luck.
- A 2FA code generator app. These generally involve using an app to scan a QR code and then the app generates a 6 digit number for you that changes every 30 seconds. This is more secure than using SMS and you don’t need phone signal for it to work. Apps for this are often branded but functionally they’re generic, so you won’t usually need a new app for every service you use. Recommended ones include Google Authenticator, Authy or Microsoft Authenticator, the latter of which includes functionality to backup your codes to a Microsoft account for safekeeping.
- A physical security key. These look like USB sticks and represent the gold standard of 2FA security. They’re a good option for securing your most sensitive accounts like password managers or email accounts and get you access to the most sophisticated security measures currently around – which unexpectedly are actually the most straightforward to use. They’re inexpensive too – my recommendation would be the Yubico Security Key NFC which can generally be obtained for under £30 and will work with your laptop and your phone.
Consider backup methods for your 2FA – enable cloud sync in an app like Microsoft Authenticator or Authy, or set up key services to use both a code generator app and a security key so you can easily regain access. If you do opt for a security key, consider buying 2 and keeping one at home and one with you. Most services that support security keys let you configure more than one.
The takeaway here is the importance of using 2FA – use it everywhere it’s offered if you can, and always use it on your password manager account. The excellent website twofactorauth.org contains links to instructions for setting up 2FA on pretty much every major site or app that supports it.
Let’s assume by now that you’ve obtained a password manager and you’ve set it up with 2FA. How do you know where to start? Generally, they’ll offer to save account details as you log into websites so even with no conscious effort you’ll begin to save all your accounts into the password manager.
The most value will come from you adding all your accounts and taking advantage of any features it has for suggesting poor passwords or pointing out accounts that might be compromised.
I’d suggest that you start off by switching your email account to use a strong password (and 2FA) and then changing the passwords of other accounts you consider important, and saving the passwords into your password manager. Autogenerated, fully random passwords are the best but if you’re not comfortable with that then long passphrases you save into the password manager to remember them are still an improvement.
Conclusion – Get a Password Manager, Use 2FA
That’s it really. A password manager will help you to use truly strong, secure passwords and save you from having to remember any of them (except your Master Password, which you must remember). 2FA will prevent someone getting into your accounts without also having a physical device in your posession. If you do both of these things, hackers and cyber criminals will likely skip over you and go to an easier target instead, like how a burglar would skip a well secured home.