Password security basics
If you think password security isn’t important for you because you aren’t a high-profile target – think again. Hackers are opportunists and exploit any weaknesses they can find. Protect your information, data and money by brushing up on password basics.
We get it: remembering passwords is tough, especially when you have hundreds. There’s a simple solution to this problem: a password manager. You only need to remember one master password to access all your saved passwords. Just make sure that master password is long, strong and easy to remember.
What’s a password manager?
A password manager is a secure application that stores all your passwords in one place. They also generate secure passwords. All you need is a master password to access everything. You can store answers to security questions, card details and two-factor authentication backup codes as well. Everything is strongly encrypted (it would take a billion years to crack with brute force!) – just keep your master password safe.
We recommend 1Password and Dashlane, but there are other options out there as well.
You can use a local or a cloud-based password manager. Cloud password managers have the added convenience of being accessible anywhere, on multiple devices.
If multiple people need shared access to the same account, Shared Account Password Management (SAPM) can work alongside password managers.
Strong, unique passwords are essential, but two factor authentication should also be enabled for all services that support it.
What is two-factor authentication?
Passwords will always be a weak point for security. Phishing scams are increasingly common and crafty – it's just a numbers game for hackers, eventually they’ll catch someone out. Two-factor (2FA) or multi-factor authentication (MFA) adds a second level of security.
Many apps (social media, banking, password managers) offer 2FA to secure your account and transactions. It follows the idea of ‘something you know’ and ‘something you have’. Basically you log in with your password (something you know) and then a one-time code is sent to your phone (something you have) to double check you’re you. You’ll usually be able to set this up in the password and security settings of each app. Find out which apps offer 2FA by visiting Two Factor Auth (opens in a new window).
Even better than 2FA via text message is using an authenticator app. These generate one-time codes when you log in and are more secure than receiving an SMS code. Look for Microsoft Authenticator, Google Authenticator or Authy.
When you set up 2FA, you’ll be given backup passcodes to use in case you lose your phone. You’ll need to store these safely, for example in a cloud-based password manager. You can also purchase security hardware keys that offer 2FA without a phone.
Our password security tips
Don’t use the same password for more than one website. If your details are compromised by one website, you’re leaving the door wide open for hackers on all other sites where you’ve used that username and password combination. This is a strategy used by hackers called credential stuffing – if your username and password combination has been breached, they will try them on several more sites to gain access.
Don’t use guessable passwords. Not your kids’ names, not your birthday, and definitely not password123. If you need a password you can remember easily, try a passphrase. A string of 3-4 random words separated by a hyphen or other special character is better than a complicated password you’ll forget. For example, ‘Dog-Yellow-Balloon’.
To check if your emails or passwords have been compromised, visit the website Have I Been Pwned? (opens in a new window). Update your password for any affected sites.
Don’t use your browser’s default password manager; these don’t have the same level of security or encryption as dedicated password managers.
Change the default passwords on new software and devices. These default passwords are readily available online and easily exploited.
We’re here to help with any of your security concerns, just send us a message.