How To Keep Passwords Safe
Just as we don't give burglars easy access to our house key, we need to keep our passwords safe from criminals too.
Whilst there's many ways by which hackers get our passwords, by taking just a few simple precautions we can help keep them safe.
A secure - and popular - alternative to writing passwords down is to use something known as a "Password Manager" (sometimes also called a "Password Vault" or "Password Safe").
These applications are designed specifically to keep passwords safe, storing them in a secure virtual vault and remembering them for us until we need them. They can even suggest ideas for super secure passwords when you need a new one too!
Take a look at our page dedicated to explaining how to get and use these Password Managers.
Can I write my passwords down?
It’s often said that we shouldn’t write passwords down, but is this really such a bad idea? You certainly shouldn’t store passwords in places where they could easily be found, such as:
- At the office;
- In your wallet or purse (which could be pickpocketed or lost);
- Or entered as a note on your mobile phone.
But what about writing them down at home? This is where you need to consider the risk.
Think about who might find them if you did, for example have you got nosey kids? Are you in a high risk area for burglaries? Or do you ever have nosey guests or a cleaner who might find them?
Writing passwords down can be extremely helpful – and in some circumstances perhaps even improve security by enabling you to remember stronger (and unique) passwords for each website.
If you do choose to write them down then make sure to follow these tips:
- Never include your login: Don’t write down your account username or email address alongside the password.
- Write prompts: Try to write down reminders to your passwords instead of the full password.
- Be sneaky: If you do write down the full password, how about adding some misinformation such as adding some random characters to the start and end of the password? You know to drop these characters; a thief who got hold of your notes wouldn’t.
- Be careful where they're stored: Don’t store the passwords near your PC or where they can easily be found – for example don’t pin them up on a notice board or a post-it note on your monitor.
When should I change my password?
It’s commonly said that you should change your passwords regularly; most companies even enforce this on their office computers. But have you ever wondered just how effective this is?
Regardless of how often you change your password, there are certain events after which we should change our passwords right away:
- Website hack: Change your password if a website you use is in the news for having been hacked;
- Losing your phone: If you lose or have your phone stolen you should change the passwords to any apps you use (such as your email & Facebook) straight away;
- Suspicious account activity: Change your password if you see strange activity on your accounts, such as random tweets from your Twitter account or spam being sent from your email address;
- Phishing attack: If you ever suspect that you've fallen for a scam or opened a phishing email then change your password immediately, before the fraudsters have the chance to use it;
- Unknown "last logon": Some websites (especially banks) will display a message of when your account was last accessed. If that login wasn't from you then inform your bank (if it’s your bank password) and change your password immediately; (Note: Never trust "security alert" emails from your bank – these will be a scam. If in doubt visit your local bank branch and check);
- Virus alert: If your antivirus program alerts you to a "Keylogger" on your computer then find another clean computer & change all of your passwords immediately. Use your computer's antivirus program to remove viruses before using it again.
For all the above, if you've used the same password across other websites then change it on those sites too. See our tips here for creating strong & memorable passwords.
How to change your password
For most websites it should be fairly straightforward how to change your password - the option to do this might be on the page called "account" or "settings".
There are however a few simple tips to follow to make sure you don't unwittingly give your password away to a criminal:
- Always type the web address directly: Never click a link from an email or unknown source to change your password - always type the website's address into a browser yourself. This way you can be sure you’re changing your password on the real website.
- Beware of phishing attacks: Ignore any emails claiming to be from someone you have an account with and which ask you to follow a link & update your details. No reputable website or bank will ever ask you to click a link in an email - these emails will be from criminals who are "phishing" for your details. Learn how to spot phishing emails here.
- Never disclose your password to anyone: You should never send your password by email or tell someone it over the phone; no reputable firm will ever ask you to do this.
Should I change my passwords on a regular basis?
In addition to changing passwords after any suspicious activity, a commonly heard piece of advice is that we should also change our passwords regularly.
But should we? Whilst changing our password will help if it has been stolen, changing it regularly can nudge us towards choosing poor passwords as we try to remember them.
Simply put, it's better to focus on making sure that our passwords are strong & unique than to worry about changing them regularly.
- If you will always continue to use strong passwords (for example you might use a password manager) then changing them regularly, such as every 60 days, is undoubtedly a good idea.
- But if your password strength ever starts to suffer then it's not worth it as you will actually reduce your account security.
Instead of changing your passwords regularly you could enable something called "2 Factor Authentication (2FA)" (most major websites now offer this option). This adds an extra layer of security, stopping anyone who may have gotten hold of your password from accessing your account.
The idea behind changing your password regularly is that you'll be blocking anyone who may have discovered your password. But on the flip-side, constantly having to remember a new password can lead to poor password choices. Also - by only changing passwords at arbitary times - it may already be too late anyway!
That said, there are a few circumstances where regular password changing can still help, for example:
- You might be lucky with timing and change your password just after it's been stolen;
- The attackers may be taking their time before using your password following its theft, such as trying to crack any protection applied to it or waiting for a buyer of your account details;
- Your account (especially a work based account) may be one where the attackers want long term access.
Whilst changing passwords regularly can be of benefit, the argument against doing so rests on the fact that for most people this will weaken security.
- Creating strong passwords can take some thought – we might start with good intentions and use strong passwords at first, but after a while of changing them we’ll often give up and just choose weak & easy to remember ones instead.
- We may even re-use our password by simply adding a number to the end, for example password1, password2, etc (hands up, who’s done that?!). Doing this has very little benefit.
If you can change your passwords regularly without reducing their strength then definitely do so. But regardless of whether you do or not, we strongly recommend that everyone applies "2 Factor Authentication (2FA)" where you can - this is a great way to stop unauthorised account access should anyone get hold of your password.
What else can I do?
Even if you look after your passwords they can still sometimes be stolen (see our page on how criminals get our passwords). It's for this reason that we recommend setting up Two Factor Authentication (2FA) on your accounts.
With 2FA you login with both your password and a one-time code, sent (for example) to your phone in a text message. Even if a hacker somehow finds your password they won't have this code - and won't be able to log in.
Some websites streamline this process to make it easier, such as by only requiring this code if you're logging in from a new computer. Check it out and set it up today!