Passwords for your internet banking. Passwords for your email account. Passwords for your social media accounts. Passwords for your work VPN. The number — and complexity — of passwords we have to keep accounts “secure” can be truly baffling.
There’s a very simple — and very bad — way to manage all of these, and that’s to simply use one or two passwords for all of your services, preferably something you can remember easily like a common word. You may have heard that this is a poor idea, but it’s more than that — it’s a shockingly bad idea, for two key reasons. Firstly, using a common word means it’s uncommonly easy for someone nefarious to ferret out, especially if it’s a dictionary word. You may as well call your password “password” if you’re going to do that.
Just in case I wasn’t clear enough there: Do not, under any circumstances, use “password” as your password.
Equally, it’s a bad idea to use the same password over multiple sites, especially if there’s any kind of money — whether it’s your bank, your credit card details or even something as seemingly innocuous as your date of birth — involved.
Why is that a bad idea? Simply because it sets up a weak chain. You might use the same simple password for your banking as for an online store you only used to buy something once, because your brain associates it with money, but if that store has its own security breach, your password goes with it. It’s a relatively trivial matter to hit multiple services with the same account details (typically your email address and that same insecure password), meaning that using the same password across multiple sites is a rather easy way to leave yourself open to all sorts of nasty attacks.
The issue then becomes one of remembering all your passwords, and this is where password management software can come to the rescue. There’s numerous packages, from the online LastPass to the open source KeePass, but all of them perform the same basic function. You sort out one, preferably strong (meaning a combination of numbers, letters, cases and punctuation marks) password. That’s the key to your password vault, which stores all the rest. Once you’ve got that kind of system in place, it doesn’t actually matter if you remember your passwords or not, because your password vault will. Most packages make it very trivial to set up long randomised passwords as part of basic functionality.
A strong password is good, but introducing multiple levels of authentication is even better; this is often called two-factor authentication, relying on methods that use a password as well as a single use key; that can be something you carry on you physically, or a code that’s sent to your phone via SMS, or similar. The advantage there is that even if your single strong password is compromised, the bad guys can’t get any further, because they don’t have the second part of the key. Two factor authentication can be quite secure (nothing is foolproof), but it’s a matter of working out whether the online services you use support it. Some banks do offer two factor authentication (usually via a random key sequencer that they’ll supply), but many online services don’t. It’s worth checking, however, especially for those accounts, like banking, that you want to keep especially secure.