In a competitive field, passwords are one of the worst things about the internet. Long and complex passwords are more secure but difficult to remember, leaving many people using weak and easy-to-guess credentials. One study by the UK’s National Cyber Security Centre (NCSC) revealed how millions are using their pet’s name, football team names, ‘password’ and “123456” to access online services.
But this leaves you wide open to attack: cybercriminals can crack weak passwords in seconds using automated tools. “A hacker needs roughly two seconds to crack an 11-character password made up of numbers,” says Alex Balan, director of security research at security company Bitdefender. If the password is more complex, containing numbers, symbols and uppercase and lowercase letters, the time needed to break it jumps to 400 years.
Experts say a good password should be unique and contain a combination of letters, numbers and special characters. The key to a strong one is length, says independent security researcher Sean Wright. “While password complexity does help, the length matters far more.” Experts recommend a minimum of 11 characters, more if possible.
The typical internet user has about 100 sets of login details – memorising this number of complex passwords is well beyond most people’s powers of recall.
Password manager apps can resolve this problem by creating long and complex credentials for you, and remembering them the next time you log in. Yet only about one in five people in the UK use one, according to recent estimates.
Many people are put off by the hassle, while others are suspicious about allowing one company to store all of their passwords. How do you know which one is trustworthy, and what if the company is hacked?
It might seem daunting at first, but a password manager will make your life a lot easier. Here’s everything you need to know.
Why you should join the 20% who use one
Once you’ve downloaded a password manager, such as 1Password, LastPass, Bitwarden or Dashlane, you can follow the instructions to import your logins from somewhere else such as your browser. You can also start from scratch if you want, and delete accounts you don’t need any more as you go along.
After setting it up, the app can generate strong passwords for you for any new sites you use, and these will autofill as you browse. This solves one of the toughest aspects of password security: remembering lots of complex credentials.
“Since password managers take care of the remembering part, every password can be a long, totally random selection of characters,” says Jake Moore, global cybersecurity adviser at security firm ESET.
Password managers also ensure you use a unique login for each account, rather than repeating them across services. This is crucial for preventing “credential-stuffing” attacks, which happen when a hacker uses your compromised password, for example from Facebook, to try to get into other well-known services you might use such as Netflix or Spotify.
Another often overlooked benefit is that most password managers help prevent phishing attacks, where scammers will encourage you to click a link so they can steal your credentials. “Since they tie the credentials to a specific web address, the autocomplete will not work on phishing sites,” says Wright.
In some cases you can even use password managers to securely share a login with other trusted people, such as family members. They also allow you to store pin codes, credit card details and online banking credentials securely.
Why they are trustworthy and not as much hassle as you think
One major misconception about password managers is that having your credentials stored in one place is a risk. “I am often asked: ‘What if someone is able to access my password manager?’, but using one is far better than reusing the same credentials for all accounts,” Moore says.
While there is a small risk in placing all your logins in one place, the likelihood of the password manager being breached is extremely low, says Wright.
Password managers keep your details secure by encrypting your logins so they can only be accessed when you enter the master password. “Your plain text passwords are never stored on your device or on the password manager’s servers,” says Paul Bischoff, privacy advocate at Comparitech.
Setting up a password manager is probably the biggest hurdle for those diving in, but you can do it gradually, changing passwords as you go. Once you have set up your app, it’ll save you the time you spend now resetting logins you’ve forgotten.
Some see cost as an issue, but password managers are often free, or available for a few pounds a month. If you do decide to pay, the subscription will be worth it if you consider the costs of being hacked and details such as bank accounts being accessed.
Are Apple Keychain and Google Password Manager as good as independent password managers?
Apple Keychain and the Google Chrome Password Manager are password managers, but they lack the features of “full-service” ones. Sticking with Apple or Google means you can’t easily use your password manager with other devices or browsers.
Apple Keychain and Google Chrome help strengthen protection, but you will struggle to easily move across devices without an independent password manager, says Moore. “Although it’s better than reusing passwords, a third-party password manager usually offers more features and can be easily accessed across devices.”
Steps to improve your security
Keep in mind that the password manager will need a master password, which you’ll need to be able to remember. This should be as long and complex as possible, for example a phrase or set of memorable words including some random characters and numbers.
Some password apps let you know when one of your accounts has been compromised. The website HaveIBeenPwned is another trustworthy method of looking up whether your passwords have appeared in any known breach.
Apple also offers a function to detect hacked passwords, under Settings > Passwords > Security Recommendations. If any of your passwords have been compromised, it’s a good idea to change them, on the breached site as well as any other websites where you use the same credentials.
Of all your passwords, your email is most important. If a criminal is able to access your email, they could steal information including banking details, or send messages pretending to be you to scam people. Worse, they could use your email to reset all your other passwords, taking control of your accounts. For this reason, the NCSC says you should create an extra-strong password for this account, using a password manager if possible.
Experts recommend passwords – and password managers – are backed by two-factor authentication, whereby you are asked for something such as a one-time code in addition to a password when you log in using a new device. For the more adventurous of you, there is the option to use a security key such as a YubiKey – a token you can insert into your device to double-secure high-risk accounts such as email. Authenticator apps such as Authy are another option. These generate a unique code for you to enter into the site and are very straightforward to use.
The least bad alternative…
If this all seems too technical, or you are managing passwords for an elderly parent or grandparent, there is another option. While they’re sometimes mocked, physical password books aren’t a bad idea, as long as you follow the guidelines in creating strong, unique logins, and the book is kept somewhere secure and doesn’t leave the house. And it goes without saying that you should never create a “virtual” book or document on your computer, which could be viewable if your device is hacked.