Passwords are out of control. A survey by Data Insider found that, on average, someone in the US has 130 online accounts. Best practice means that most of those should have a different, hard to break password. And that means they should be long and avoid containing anything that an attacker could find out. 

Advice about what constitutes a good password has changed over the past couple of years. Indeed the chap who came up with the rules that governed password use admitted last year that he regretted much of what he wrote.  

All those password rules? Sorry about that!

All that stuff about uppercase, lowercase and special characters...well, it turns out that it made it difficult for humans to remember their passwords, but did little to make them harder to hack. And as for changing them every month? That just meant most of us stuck a number on the end and incremented it when we were forced to.

The latest advice from the UK's National Cyber Security Centre (NCSC) makes much more sense. It no longer bans the use of dictionary words, but suggests putting together three random ones so you have a long phrase which is easy to remember and, because of its length, extremely difficult for a computer to crack. “Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability,” it says.

But the NCSC still warns against reusing passwords across different accounts, and it would be hard to overstate how risky this is. A spate of hacking since 2018 demonstrates why. Increasingly, criminals use credentials exposed in previous data breaches and try them out anywhere that will let them. The practice, known as "credential stuffing", takes place on a massive scale and it's almost certain that if you've had a password stolen, someone, somewhere is using it right now to try to break into an account.

So clearly we shouldn't reuse passwords - but even if we do use combinations of dictionary words, there's no practical way to remember at least dozens of passphrases. And the result? Well the result is that survey after survey suggests people continue to ignore advice and use one or two passwords for everything. Even worse, for millions of people, those passwords are 123456 or Password which, believe it or not, continue to be the top two choices among the millions of passwords stolen every year.

Obviously, those sorts of passwords  are asking for trouble. Someone trying to attack you will try these first -- just as they will look to see whether you've changed the default passwords or PIN codes on your devices. Analysis of stolen passwords shows that around a fifth of us use one of around 5,000 password combinations. So they'll be the ones the attackers try next.

So what's the answer? 

As with everything to do with cybersecurity, there isn't a perfect solution. Everything is a compromise between security and practicality. In the case of passwords, the best (or least worst) solution is a password manager (or password vault). We have a detailed look at these here.

There are plenty available; two of the best known are 1Password and Bitwarden. We used to include LastPass in this list but a 2022 data breach left us deeply concerned about its security and transparency. Password managers store all your passwords and associated information in a secure vault that you protect with a good password. They can generate secure passwords, fill them in automatically and sync them across all your devices.

As the NCSC says, "Password Managers are a good thing. They give you huge advantages in a world where there's far too many passwords for anyone to remember." And they mean that even if one password is stolen, it won't impact anything else.

One note of caution; despite widespread agreement that Password Managers make people safer, a small number of financial institutions still prohibit their use for anything do with their services. It's worth checking whether this applies to any of your accounts.

People often ask whether it's safe to let a browser store passwords. The answer is that it's a lot safer than it used to be but it's worth bearing in mind that browsers are one of the pieces of software most commonly targeted by attackers. And, depending on which browser you use, storing passwords in it may mean they're not synced across different devices.

Protecting your password vault

So what about the password to protect your vault? There are two golden rules; long is strong, and personal is public.  

Longer really is better and adding some symbols makes it much harder to crack. For a solution like a Password Manager which it's essential to protect, we suggest a minimum of 12 characters. Ideally, the result would be truly random - but this does require memorising something that inevitably will be difficult to remember!

As the NCSC recommends, choose three random words, add a number and a symbol and if it's 12 characters or longer then cracking it will take too long to be practicable. But this is where the second rule comes in. No matter how tempting, don't use personal information because there's every chance it's already in the public domain.

Birthplaces, pet names, favourite film, first car. These are all pieces of information that are likely to have been stolen in a data breach or can be found on social media. 

Adding another factor

Of course, the reality is that passwords are a lousy security measure so we shouldn't rely on them by themselves. Criminals will go to great lengths to persuade you to give up your password and, as you may have experienced, their efforts can be extremely sophisticated. They will send emails which seem to come from your email provider, your bank, your phone company and they only need to be lucky once to get what they want.

If you want to find out the tricks of their trade then read our guide on Phishing, but for the purposes of this guide the important thing is how to protect yourself even if your password is stolen.

If you have online banking you probably already have some sort of device which generates a code or another piece of information which you have to enter before you can access your account. This is called multi-factor or two-factor authentication, or two-step verification, and it is something you should use -- in fact your bank probably insists on it anyway.

Most services now offer multi-factor authentication as an option. It sounds complicated, but in fact is remarkably user-friendly. It involves going to the settings section of an account and selecting two-factor authentication. You will probably be able to choose between using an authenticator app (which generates a random code every 30 seconds) or receiving a code by SMS. The app option is more secure than SMS (though SMS is better than nothing).

It's hardly surprising that people have poor password habits. It's not until something bad happens that the risks become clear, and a combination of care and luck could keep you safe for a long time. But that's a little like leaving the key under your doormat. Why not buy a keysafe and remove the element of chance?

If you want an incentive then consider that you will have made it much more likely someone else will be the victim. Put another way, remember you don't have to outrun the bear. You just have to outrun the person next to you.

The good news is that passwords are finally on their way out. Passkeys is an  initiative led by Apple, Google and Microsoft. The idea behind them is to take something you have (e.g. your phone) and something you are (e.g. your face or fingerprint). When a user registers an account on a website or an app, a new unique key pair is created. This means that a public key is stored by the website or app; public means it doesn't need protection because it's useless without the other half of the pair, i.e. the private key. This is stored only on the user's device and can only be accessed once they're authenticated. The next few years will see increasing takeup of this solution and, finally, a gradual farewell to widespread use of passwords.

Resources
Facebook's guide
Google's guide
Twofactorauth lists all the services that offer two-factor authentication
Authy - a recommended authentication app
The NCSC's guide