‘It’s only an email account’
How many websites send you an email to confirm a login, or reset your password or account details?
It’s so easy to just think ‘Oh, it’s only my email account, it doesn’t really matter if it gets hacked.’ But just think how inconvenient it would be if it was hijacked. You risk the hackers getting hold of all sorts – your contacts, your social media, resetting passwords and possibly even accessing financial information.
Password reuse
Some of the most important rules for keeping your accounts safe are:
1. Don’t reuse passwords. Anywhere. If a website or service gets compromised, the hackers will try the usernames and passwords against other services.
2. Use strong passwords. Use UPPER case as well as lower, numbers and special characters (!$@#~& etc) also help to strengthen passwords. Hackers will often try ‘dictionary attacks’ using the most common passwords.
3. Don’t use ‘keyboard walk’ passwords. They may look like strong passwords, but ‘qwerty’, ‘qwertyuiop’, ‘1qaz2wsx’, ‘123qwe’, ‘qazwsx’ and ‘zxcvbnm’ are all in the top 40 most used passwords!
You can use the password checker at Have I Been Pwned to see if any of your passwords have been compromised (don’t worry, it uses a secure way to check passwords and won’t remember them).
The National Cyber Security Centre recommends making up a password from three random words. That’s great advice, but how do you choose the random words? It’s very easy to use family, pet, friends’ or favourite team names, but you really should try to avoid this, just look at the most common passwords list mentioned above. It’s surprising how much information we unwittingly give away or make public online, so it’s quite easy for someone to use information from your social media and other sources to guess passwords.
There’s also an interesting page here showing how quickly hackers can crack passwords.
Remembering passwords
Many internet browsers (Chrome, Edge, Firefox, Safari etc) will often give you the option to suggest a strong password when you are stting up or changing an account. This is quite a good way of creating unique strong passwords, but you then have the problem of remembering them. You could write them down, but there’s always the chance of misinterpreting your handwriting later on. Or you could save the password in the browser (it will usually ask you if you want to remember the details). This is quite handy, because you’re unlikely to accidentally type those details into a fake website, as the browser will only recall them for the correct website. Unfortunately there are a handful of strains of malware that try to steal the in-browser password databases. One thing you should never do is store them in plain text in an online storage service (e.g. Google Drive, Dropbox, OneDrive etc.), just in case that gets compromised.
Although it is slightly more inconvenient to use, a more secure solution is a separate password manager. We use and recommend Bitwarden. This allows you to have a password vault separate from your browser with browser plugins to access it, and the ability to share your password vault across different browsers and devices.
MFA
Another security feature that we can’t recommend enough is using MFA (Multi Factor Authentication). This is where the service you’re trying to log into sends you an additional security code, or you use an authentication app which automatically generates a code for you. Many people can’t be bothered to set it up because they think it’s inconvenient and another step in the way of what you’re trying to do, but it’s a really useful way to protect your online accounts.
Summary
At the end of the day, you have to balance ease of use against security. The easier it is for you to log in to something, the easier it’s going to be for the bad guys!
Feel free to get in touch if you need any advice.