Strong passwords are a fundamental requirement for staying safe online, yet millions of Brits may be putting themselves at risk because they aren’t taking passwords seriously.
In a recent survey, we asked 2,000 UK broadband users aged 18+ how they created and stored passwords.
What we discovered is that a shockingly large number of people are putting their devices and personal data at risk because they don’t have strong passwords and are failing to follow simple steps for securing their logins.
For instance, 31% of respondents admitted that most of their passwords were the same, while 10% said they only deviated from their standard password when it was forced on them.
Having a unique password for each site or service is incredibly important. If your password is the same everywhere, then just one data breach could expose all your accounts.
We also asked respondents to identify what they thought would be the most secure password from a selection of examples.
Length is crucial for making a strong password. The more characters, the harder it is for the password to be cracked. But you also can’t use common tricks like swapping letters for numbers because hackers are all too aware of these, and password cracking tools will check for them.
Most people correctly avoided the very worst options, but the majority chose a password that seems like it would be secure, yet it is fairly easy to break.
We used the Dropbox zxcvbn password strength tester to compare the time it would take a computer to guess each password. It estimated that all of the passwords except the longest phrase would - under ideal circumstances for the cracker where they’re using very powerful hardware and not restricted on the number of attempts they can perform - take less than a second to crack. Whereas the lengthier password is estimated at 17 days, which while still not great, is a significant increase in the time and effort required.
Now, none of these is especially useful as a password (we’ve published them on the internet for one thing), but they were intended to highlight two common pitfalls when making passwords: phrases that are too short, and using simple substitutes of numbers for letters.
When it comes to making new passwords, the majority of our survey respondents said they either have a method for creating a password which doesn’t use software, or they make them up on the spot.
Neither of these answers is particularly encouraging. While having a trick for creating a password sounds like a good idea, the pattern may be easily identifiable, especially if a hacker was to get hold of two or more of your passwords (not out of the bounds of possibility given the number of data breaches which occur).
As for those making them up on the spot, we suspect many are using variations of the same phrase, or simple dictionary words.
The best method is to use a password generator tool to create long and complex passwords when you need them. However, just 17% of our survey respondents use password generators.
But using long and complicated passwords means they’re impossible to remember, and that’s where a password manager comes in. Password managers securely store your account details, so you never need to memorise or write them down, and they’ll usually offer a bundle of other useful features such as password generators and leaked password alerts. Yet only a meagre 26% said they use a password manager.
So what are the rest doing?
8% are storing passwords in their web browser, something which they should stop because it’s not safe. 22% are writing them down, a practice that isn't recommended for obvious reasons. And 70% claim they memorise their passwords, which probably means most of their passwords are the same. Switching to a password manager would be a vast improvement in security and ease of use.
Three steps to better password security
Passwords should be long and complex
The longer a password is, the harder it will be to crack.
But size isn't everything.
As well as being lengthy, you should also mix in upper and lower case letters, numbers and special characters. Though try to avoid common patterns - research has shown that numbers or special characters are very often placed at the beginning or end of the password. Spreading the numbers and special characters throughout the passphrase will make a hacker's task more difficult.
Use a password generator to make long, random, and complex passwords on demand.
Passwords should be unique
Never use the same password more than once. Otherwise, you could find hackers using a leaked password from one site to break into your other accounts.
Always use multi-factor authentication (when possible)
Multi-factor authentication (MFA) adds an extra layer of protection by requesting a further method of identification when you log in; this could be a code sent via SMS or email, or generated by an authentication app.
Having MFA means that if someone does get your password, they will still be unable to access the account without also possessing the verification code. Not every service uses MFA, but it’s becoming increasingly common, and we recommend you enable whenever it is offered.