Improving password security

Passwords are essential to both our personal lives and our working lives: bank accounts, email, utilities, social media… the list goes on and on. They are quickly created and quickly forgotten. Here are some tips for creating and storing your passwords more securely.

Bad habits

In 2024, people averaged 170 logins for personal use. Add to that another 80 or 90 logins for use at work. That’s a lot of passwords.

Passwords are intended to protect your personal data. But we aren’t always very good at setting our passwords. For example, we make it easy for hackers when we have one strong password but use it for all our logins; 91% of all passwords found in data breaches are weak or reused.

Securing your email password is really important, since it often acts as a gateway to other services. For example, if a hacker can get control of your email they can reset passwords for other services.

Change your weak passwords

Common examples of weak passwords are: 123456, admin, and password123. In 2024, the password 123456 was still reported as the most commonly used password in Italy! Check how many times the password 123456 has been hacked on Have I been pwned.

Have I been pwned was created by security expert Troy Hunt and is very useful for checking for data breaches across domains, email addresses or specific passwords. They also have a very useful notification service that will alert you if your email address is ever detected in a breach

In the UK, 60% of people use passwords that can be easily guessed. If you use weak passwords like 123456, we strongly recommend that you change them as soon as possible.

How weak is your password? Visit the Bitwarden website and enter an example password to see how easily it can be cracked.

Don’t use complexity rules

Unfortunately, when setting passwords, we are often subject to complexity rules. Complexity rules are when you are told your password must contain capital letters, lower case letters, numbers and symbols. These rules can make passwords very hard to remember and enter manually.

The National Cyber Security Centre (NCSC) recommends websites should not use complexity rules, since they make it harder for people to set passwords and don’t necessarily increase security.

However, if a website enforces complexity rules there’s little you can do about it. This is where passwords managers can help create complex passwords for you (see below).

Use long passwords

Strong passwords don’t need to have special characters, numbers, or capital letters. They just need to be long. A 12-character password can take 62 trillion times longer to crack than a 6-character password.

Best practices for setting a password:

Use 3 or more random words. This is also easier to remember if you need to memorise a password
Use real words as they are easier to remember
Use a minimum of 12 characters

A good example of a memorable, long password is: aims-bolted-drawings

A password management tool will help

It’s very difficult, if not impossible, to memorise all the passwords you need for day-to-day life.

A password management tool is a piece of software or an app that manages password creation and storage for you.

There are many management tools available, both commercially and free, and many devices have password managers built in, as do most modern web browsers. At Studio 24, we use 1Password.

Password managers work across all devices and operating systems. You can use a browser plugin so you don’t have to store passwords in your browser.

You can use a password manager to create unique, strong passwords for you. They can also alert you if you are using a weak password, if you’re visiting an unsecured website, or if there are duplicate logins.

You will need to remember at least one password to unlock your password manager. We recommend you use the 3 random words approach to create a strong, memorable password.

Set up two factor authentication (2FA)

You can add another level of security to your passwords by using 2FA – which is when you use a password with an additional one-time password. 2FA can be provided via authentication tools or SMS to a mobile device. The NCSC has guidance on how to set up 2FA.

It’s very important to add 2FA for admin-level access on any services, your password management tool and your email account. 2FA not being in place is one of the highest causes of social media accounts being compromised.

Secure web development

We’ve helped many clients improve security on their websites:

Securing student and institution data for RNIB Bookshare.
Collecting and securely storing personal data for the NHS during the Covid pandemic.
Managing a data exchange between a CMS and Salesforce for Crown Commercial Service.
Protecting personal data in an online consultation for Heathrow Airport.

Chat to us about making your website or digital service more secure.