From online banking to social media accounts, many of us now juggle dozens of different passwords on a daily basis. But getting lazy with your logins could create a cybersecurity nightmare. Experts have now revealed the best way to create truly secure passwords that don't expose you to criminals. And they say that you should never reuse an old password or write down your logins.
In fact, the National Cyber Security Centre (NCSC), an arm of GCHQ, now says it might be time to ditch your passwords altogether. The NCSC announced that it was 'overhauling decades of practice' by advising people to stop relying on passwords and start using passkeys instead. Jake Moore, global cybersecurity advisor at ESET, told the Daily Mail: 'They are truly paving the way to remove passwords which remain insecure.'
Use a Unique Password
With so many different passwords to remember, it can be tempting to use the same password for multiple accounts. However, this is one of the worst decisions you can make for your online security. Mr Moore says: 'When people reuse the same password across multiple sites, it means that if one password is compromised in a data leak from one platform, cybercriminals could use the same password and username across other sites and gain entry.' That means, even if the site you use for your online banking is very secure, you could still be compromised if a less secure site you use is hacked. Sharing passwords between multiple accounts makes it easier for criminals to take over your digital presence from one small weakness.
Experts also warn against only changing your passwords very slightly, such as altering 'Password' to 'Password1'. While this might feel more secure, hackers won't have any trouble adding a few extra letters or numbers to a common password. 'Criminals also have access to software that can alter simple passwords such as the number at the end, so it’s also advisable not to increase any given number or year as they know this is popular,' says Mr Moore.
Don't Use Personal Information
A common mistake people make with their passwords is basing them on personal information. This might make it easier to remember, but it only makes it easier for a determined hacker to guess. Mr Moore says: 'This type of information may seem private, but it’s often easily located and linked online. If people use any personal information such as birthdays, football teams or meaningful years in their passwords, they are effectively breached.' You should be especially careful about using information that could be easily found online, such as a pet's name or the date of an anniversary.
Use a Long Password
One of the best ways to make your password more secure is simply to make it longer and more complex. Tech experts at Which? recommend using a passphrase rather than a simple one-word password. Which? says: 'Even if a website encrypts your password, single words found in the dictionary can be easily cracked. Hackers use lists of the encrypted version of the most commonly used passwords.' Instead, use a random or nonsensical combination of words, such as 'blue dogs walk backwards'. Adding special characters will make this even harder for hackers to guess, but be thoughtful about how you use them. Which? says: 'It’s tempting to replace letters of the alphabet with numbers and symbols that look similar so that 'password' becomes "p@$w0rd". But don’t do this. Hackers know that trick too.'
Don't Write Your Passwords Down
Keeping track of all your complex passwords can be difficult, and it might seem like a good idea to jot them down so you don't forget. Which? says: 'You might live alone, or think you can trust the people you live with, but you might be burgled. An intruder could not only steal your laptop, they could also get away with your precious passwords, too.' If you put your passwords on paper, the chances of them being stolen are low, but it creates an unnecessary danger that's easily avoided. Instead, it is much better to keep all your login details in one place with an online password manager. Services like Bitwarden, Dashlane, or Google Password keep your passwords encrypted and secure behind one secure password. You can also set up two-factor authentication with your password manager to keep your details extra safe.
Ditch the Password and Use a Passkey
For the ultimate cybersecurity upgrade, experts recommend getting rid of your complicated passwords and using a passkey instead. Passkeys, likened to 'digital stamps', do not need to be remembered as they are created and managed by software on the device. This means that they are quicker to use than a password and more secure than even the longest passphrase. When a user first logs in to a device, the system sends a digital key to specific devices. For many, that means using biometric data – such as a fingerprint or facial recognition – or their phone's PIN to create and authenticate their passkey. The key remains stored on the device and cannot be easily intercepted or stolen – with third parties unable to access accounts using other devices. Even if a website is breached, hackers will only be able to access the 'public keys', which are useless by themselves.
'Using Passkeys across devices makes it easy for people to sign into their accounts and removes the challenge of having to remember multiple passwords or using two or three passwords for all accounts,' says Mr Moore. 'It also removes one-time passcodes, which is often something people stumble with. Combined with the device’s biometric authentication passkeys, it makes it extremely quick to enter an account.'
Passkeys are so secure that they are now being recommended by the NCSC as the preferred way of keeping your account safe. Jonathon Ellison, the director for national resilience at the NCSC, said passkeys provide 'a user-friendly alternative which provide stronger overall resilience'. He said: 'As we aim to accelerate the UK's cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.' The only issue is that they are not used by all websites, but adoption is growing rapidly, with Apple, Google, Microsoft, PayPal and eBay all making passkeys available as a login option.
