How to manage your passwords safely

Tips for password creation and how to manage all your accounts securely
Avoid keeping a list of passwords in unprotected documents, text files or spreadsheets on your device
A simple method to create memorable complex passwords is by taking a line from your favourite song

Nowadays one needs accounts for just about everything, from making simple purchases of study books, accessing the student portal, researching resources for your dissertation, not to mention all of your social media and shopping accounts. Then there follows the nuisance of creating an endless variety of passwords for your panoply of accounts.

If you find this exasperating we point you along the way to nurture a healthy practice for password protocol and how to keep on top of it all with a password manager. This may help you avoid meltdown if you lose your mobile or tablet where all your passwords are stored in an unprotected document or file.

In today’s virtual world passwords are not an ideal way of securing systems, but this method will be here for a while longer. As we move many functions online, a good starting point is cultivating the practice of creating complex passwords of at least eight characters or more. These should contain numbers, symbols and a mix of lower and upper case letters.

Weak passwords can be cracked easily, akin to leaving your front door unlocked. Hackers can install scanning software to run endless variations of words and possibilities to crack this example ‘kittens123’.

A simple method to create memorable, complex passwords is by taking a line from your favourite song. Use the first letters of each word, numbers of your best friend’s birthday, and mix that in with symbols you like.

Other safe tips to be aware of are:

  • not to share passwords between people or systems
  • don’t do your banking on shared computers or laptops
  • take care using your mobile with free Wi-Fi in cafés, banking is not safe
  • do not write your password on post-it notes or store in an unsecured memo on your mobile
  • do not keep a list in unprotected documents, text files or spreadsheets on your laptop
  • avoid using the same password on multiple websites, you can expose all of your accounts in one go.A student using Wi-Fi safely

Tips for strong passwords:

  • at least eight characters or more
  • contain a mix of four different types of characters: upper/lower case letters, numbers and special characters like */”&
  • if you only have one special character in your password don’t make it the first or last character in your password i.e. aGdQl01@
  • your password shouldn’t be a name or word in any language in the dictionary
  • your password should not include any part of your name, address or date of birth
  • you can keep a hint of your password but don’t include any related services or websites linked to it
  • use a different password for every service or website.

Password managers

According to research by Dashlane, most of us have the general ability to remember up to 10 passwords and those with exceptional memory could possibly recall up to 20. Currently, Dashlane has close to 3 million users with an average between 50 and 60 different online accounts each. Many of us would have trouble linking our passwords to so many accounts.

A solution to all is to use a reputable password manager. It allows you to store multiple passwords in encrypted form so you don’t have to remember them. You can access all your passwords using one strong master password. A password manager should be able to work across all your Windows, Mac, Android and iOS devices.

The best password managers give you an option to sync or keep passwords local only. Some have no web or online components at all. Most of them audit all your passwords ensuring you are not using them over several accounts.

Password managers do offer safety over all devices and if you lose a device you can remove it from your trusted list of devices to lock out any possible access by a thief.

Before you decide on using a password manger, do some research. Wired mentioned one of the most popular free password manager apps, LastPass, got hacked near the beginning of 2016.

Next we will take a quick look at four decent password managers to give you a brief idea what to look for.

LastPass – a well-rounded, popular manager. You can store info locally or online and manage all your devices and computers. LastPass will sign into all of your online accounts for you and also sync across every browser and device.

Access by signing up with an email account and create a strong master password which only you can use to access your information in your encrypted vault. LastPass uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes which ensures complete security in the cloud. (According to Wikipedia, in cryptography salt is random data which is used in a one way function that “hashes” a password or passphrase.)

To try it out, download a free trial version on any device, or use Premium currently $12 [US] per year for unlimited sync across all devices. The Enterprise version is useful for organisations using teams of all sizes to work securely as a group on projects.

Dashlane – good looking and simple to use and you can get the App for free on any one device use. Has an easy auto-login, manages all your passwords in one place.

Dashlane uses two factor authentication, with the ability to change multi passwords for up to 500 websites. You generate strong new passwords and save them in your vault. This manager is also useful for complex logins where there are two steps or three fields to enter info. No clicks or keystrokes are required. Dashlane will notify you if a site is hacked or of any security breach alerts. It is available in full support in the following languages: English, French, Spanish, German, Japanese, Portuguese and Italian.

KeePass – this is a free, open source password manager where passwords are stored in highly encrypted databases using the most secure encryption algorithms of AES and Twofish. You control your access with one master password to manage all in a secure way. You can also configure KeePass to share access with privileged users. KeePass has auto-type functionality to login to applications or password prompt that you would otherwise have to copy/paste a password into. KeePass does not automatically put your password database in the cloud. It is available as an app and a plus is offline access.Sticky Password logo

Sticky Password - similar to LastPass and Dashlane. You can download to desktop or use the app and sync across all your devices.  You have to subscribe to Sticky Password’s service for cloud syncing as it stores an encrypted copy of your data in the cloud. You don’t have to use the cloud if you are uncomfortable with that and you can use local Wi-Fi so your encrypted data does not leave your devices at all. Sticky Password has a handy biometric tool so you can use your fingerprint on your mobile device to authenticate identity. It is available as a free version with less options, to annual Premium version and also a one off fee for a lifetime license.

More information

If you are interested in a career in cyber security skills for senior or management level careers, our MSc Information Security programme covers both the technical and management aspects of cyber security and advanced cryptography.

Academic direction is by Royal Holloway, University of London which is recognised for its world-class research in cyber security. The Information Security Group (ISG) draws on 25 years of security research and is a government recognised academic centre of excellence in the UK.