With so many websites and services that we sign into every day, from email and shopping sites to workplaces and social media, coming up with good passwords for each and every one of those can be overwhelming, especially as expert thinking on best practice is constantly evolving/changing.
So I’ve rounded up some of the top tips and the most up-to-date expert advice when it comes to creating strong passwords and authentication online. Check it out below!
Use unique passwords for every account
When I say unique, I mean unique. I’ve seen suggestions that you use a base password and then tweak it for each site you log in to - an example of this is using the password Dandelion for one site then tweaking it slightly to Dandel1on and DanDelions on others - but that’s a really bad idea: once a hacker gets hold of your base password, they can quickly work out your system for other sites and all of them could be hacked.
You should have a different password for each and every account you create online. Here are some of my favourite tips to creating the best passwords for your accounts going forward:
1) A passphrase is better than a password: Even if the website encrypts your password, single words found in the dictionary can be easily cracked. Hackers use “rainbow tables”, which are lists of the hash, or encrypted version, of the most commonly used passwords. So instead of using just one word as your password, use a phrase instead. Pick something random that only you know: a good passphrase might be “Yellow penguins have knees”. It doesn’t have to be a phrase that makes sense: just a few random words out together - such as “umbrella soap tiger” or "catnip boat tulip" - are decent passphrases.
2) Never use personal information as passwords: Anything that someone knows about you or could guess about you isn’t a good password. So don’t use anything like:
- Your pet’s name
- Your partner’s name
- Your middle name
- Your child’s name
- Your hometown
- Your place of birth
- Your maiden name
- Your favourite sport
- Your favourite team’s name
- Your favourite athlete’s name
- Your favourite holiday destination
- Your honeymoon destination
Also, be careful about inadvertently revealing personal details via social media: Facebook is full of quizzes that get you to share this kind of data. Doing them might seem harmless, but the risks are real.
3) Add special characters: Many websites insist that you use special characters such as numbers, capital letters and symbols in your passwords, so it’s tempting to replace letters of the alphabet with numbers and symbols that look similar so that “password” becomes “p@$$w0rd”. But don’t do this. Hackers know that trick too. If a site insists that you use special characters, insert them into your passphrase. To use the example I used before, you could turn “umbrella soap tiger” into “%umbrella+soap!tiger/”.
4) Create long passwords: Many websites have a minimum character count for passwords anyway, but the longer the password you choose, the harder it is for a hacker to crack. Again, a passphrase is better than a single password so be creative (but create something you can remember).
Examples of strong and unique passwords
- Jelly22Fi$h
- D3lta/L3af/Echo
- 2Dogs+2Cats=16legs
- A1waysTh@nkful
- Lets-h@ve-sum-fun!+
- ApricoT/LobbY/UprighT
- M3rmaidsLiveOnLand!*
- Miami2London$£
How to keep your passwords safe and secure
To keep your passwords safe at all times, I recommend you:
1) Never letting your browser store your passwords: Most browsers will offer to store your passwords for you, autofilling forms when you need them. Yes it’s tempting to let them do that as remembering a lot of passwords is hard. But malware can sneak on to your computer and steal the passwords you have stored in your browser, handing over your credentials to hackers.
2) Never write down your passwords: Again, it’s tempting to refer to something else rather than relying on your memory. That said, writing down and keeping secure a list of unique, strong passwords is better than using the same easy-to-crack password on all your websites. I would strongly recommend that you don’t do this, but if you must, then don’t leave that list lying on your desk: lock it in a safe or in a secure drawer.
3) Use a password manager: The best to store a long list of complex passwords, especially if your memory isn’t quite what it should be, is through a password manager. Password managers are programs that look after your passwords for you, and in most cases will also generate strong unguessable passwords and then make sure they’re associated with the right websites.
Other password security tips you need to know
Now you know how to create unique passwords and how to keep them safe, what more can you do to make sure you're safe as possible online? See below my top online security tips you need to know:
1) Two-factor authentication: This is one of the best steps you can take to protect your accounts from hacking - use two-factor authentication, also known as 2FA. Most websites offer it nowadays, though you might have to dig around in your account settings to find it. But what does it mean? 2FA means that if someone tries to log in from a device or an IP address you haven’t approved, it will stop and send you an SMS to your mobile phone with a one-time code you need to type in before it will authenticate you. This means if it’s you logging in from a new computer, you’ll be able to type in the code and complete your log-in, but a hacker of course doesn’t have your mobile and won’t be able to finish logging in – and thus won’t be able to access your account.
2) Biometric authentication: More devices than ever before come with biometric capabilities, meaning you can use a fingerprint, a face scan or an iris scan to log in instead of a password or a Pin. Biometrics is a good, quick, low-friction way to log in to your phone or other device, and you can increasingly use your fingerprint or other method to log in to websites and services, too.
3) Changing passwords: It used to be the case that you were urged to change your passwords regularly, and many organisations still enforce regular password changes. However, current thinking is that this isn’t the good idea we used to think it is. The National Cyber Security Centre (NCSC) now explicitly recommends that you don’t change passwords unless you have to because your password has been stolen. So don’t change passwords for the sake of it: if you’ve got a strong password you haven’t used anywhere else, it will protect your account for a long time.
4) Checking if your password has been compromised: With so many data breaches having happened, it’s perhaps inevitable that one of your accounts will at some point have been compromised. If you’ve got an account with big organisations like Adobe, TalkTalk and many others, there’s a good chance your account details were caught up in it. If your account is part of a breach, the organisation should let you know, but to be on the safe side, you can check for yourself. Simply click HERE and put your email address into the web form, and it will tell you if an account associated with that email address has been compromised in any of the breaches it’s got data on – and it’s got data on most of them. Don’t panic if you do find that your account has been breached somewhere, but if so, make sure you change the password for that account, and that you’re not using that password anywhere else.
5) Make sure your contact details are ALL up to date: Always make sure that you’re not using an old email address or phone number with an online account - so in the case you need to reset your password, the link to do so is sent to the right inbox, not an old one you no longer have access to.
Final thoughts
The main things to remember about internet safety and having passwords strong enough for all your online accounts are:
- Use unique passwords for every website
- Never re-use passwords
- A passphrase is always better than a single password
- Never use personal information as the password
- Use a password manager
- Add 2FA everywhere possible
- Don’t change passwords regularly
