Twenty years ago, you might have been forgiven for using ‘password’ as an online password.
The internet was still in its infancy, and concepts like ransomware barely registered in the public consciousness.
Yet a survey by the UK’s National Cyber Security Centre last year revealed a continuing lack of effective password management among online account holders.
In a survey of accounts which had been breached by criminals, the most commonly-recurring password was ‘123456’.
An astonishing 23.2 million compromised accounts used this search string.
Almost eight million had set ‘123456789’ as a password, while nearly four million breached accounts had been relying on ‘qwerty’ to keep them safe. Clearly, it didn’t.
Depressingly, 3.8 million compromised accounts still had their password set as…yes, you guessed it.
Many of these cybercrime victims would have stayed out of the NCSC’s figures if they’d deployed more robust security phrases.
The fact that 140,841 compromised accounts had ‘metallica’ as a password while almost exactly twice as many had chosen ‘liverpool’ suggests people don’t look far for inspiration.
First names were also common choices. Between them, ‘ashley’ and ‘michael’ were the passwords attached to almost 900,000 breached accounts.
It wouldn’t take a criminal mastermind to guess that a rock music fan might have set their password as ‘blink182’ (285,706 accounts) or ‘slipknot’ (140,833).
So how should you go about choosing a password which isn’t easy for a hacker or fraudster to guess? And are there tips to help remember different login credentials?
These are our effective password management tips:
- Use different passwords on each account. We’ll cover the mechanics of remembering them all in a moment. But if one account is compromised, others should remain safe.
- Adopt variations on a theme. Your first car’s registration plate followed by different letters might work – A135ACEa for Argos, A135ACEb for Boots, and so on.
- Set bookmark reminders. Add abbreviated clues in your web browser’s bookmarks or favourites list – A1a for Argos, etc. It’ll remind you without being obvious to crooks.
- Don’t use personally identifiable information. Your surname, address, spouse’s name and date of birth could be acquired as part of a data breach, so never employ PII passwords.
- Avoid normal words. There are automated dictionary-powered hacker algorithms which can batch-enter words in password fields. Use a blend of letters and numbers instead.
- Consider acronyms. These can be easy to remember but impossible to guess. ROYGBIV lists the colours of the rainbow in order, and would mean nothing to a hacker.
- Avoid consecutive letters or numbers if possible. Your account is safer with ‘acegi135’ as a password than ‘abcde123’, since criminals often input consecutive strings at random.
- Don’t accept randomly-generated passwords. If you ever change web browser or replace your main device, you’d never remember an account password was ‘#adf@2w4k35bcv8a56‘.
- Don’t store password lists on your device. If criminals gain remote access to your device, their first speculative action is often to search for documents entitled ‘password list’.
- Do store them in a secure offline location. A bedside diary would be a good place to store a hand-written list of account passwords, in case you forget important login credentials.
- Never publicise passwords. Don’t brag to colleagues, don’t let slip to your neighbours, and don’t publish anything online which may offer clues to certain passwords.
- Use an online password management tool. Finally, consider using an account like LastPass, Dashlane or Keeper to log you into webpages, with just one ID to remember.