How secure is my password? Which? Computing editor explains the dos and don'ts

It was only in October 2019 that we uncovered a raft of wireless security cameras found for sale on Amazon to be riddled with security flaws.

The unfortunate news is security compromises are only likely to increase as more digital products and services are launched and become commonplace in our lives.

And while being hacked is sometimes completely out of our control - for example because a company's data system is hacked and personal details are stolen - there are steps we can all take to further safeguard ourselves online.

I caught up with Which? Computing editor Kate Bevan to get some tips on what you can do to protect your digital life when it comes to passwords.

See how an antivirus software package could keep you safe online.

How do passwords get hacked?

There are several ways passwords get compromised. The first is having a weak password that people can guess - that's why we advise against using things like your pet's name or the name of your football team.

The second is using a word that's easy to crack, even if it's not a word someone would associate with you. Scammers use what are known as 'rainbow tables' - lists of words and common passwords with their encrypted equivalents, or 'hashes' - to run what's known as 'brute-force' attacks on websites. This is why security experts recommend using unique passwords rather than words you can find in the dictionary.

The third is when passwords are stolen in data breaches: there are lists of passwords and email addresses for sale on the dark web. If you received an email from someone containing a password you have used and threatening to expose your porn habits unless you pay up a ransom in bitcoin, that's how they got that password. If a hacker has an email address linked to a working password, they will try that combination on other websites too. This is why we recommend not using the same password on different websites.

What is a weak password and why are they an issue?

A weak password is one that can be easily cracked or guessed, or one that you've used on other websites. So that's something people know or can discover easily about you, such as your cat's name, your date of birth or your mother's maiden name, or a single word that's found in a dictionary. They're an issue because they don't protect your accounts.

What's the anatomy of a strong password?

A strong password is a unique password. That can be either something completely random, such as Q2!ekr?@Z, or three unrelated words strung together, such as RocketUmbrellaKitten. The first is functionally impossible to crack and won't be in the rainbow tables that hackers buy on the dark web, and the second, although comprising known dictionary words, is made much more difficult to guess and crack thanks to the joining of random words. We've got more detailed advice on creating strong passwords here.

How can I create a memorable password?

There are lots of systems people use for creating memorable passwords, such as using the same base password and adjusting it per website. For example, you could use WaterBottle as your base password, and then add prefixes and suffixes for each website (so you might end up with, say, GWaterBottleMail for Gmail). However, we don't recommend this, as once someone has your base password, they can probably work out your system and thus hack into all your accounts.

If you need a password you can remember - rather than a random string of characters - we recommend using the three-unrelated-words method. It's easy to remember RocketUmbrellaKitten and yet that would be very difficult to crack.

What is two-factor authentication (2FA)?

Two-factor authentication adds an extra layer of security to your online accounts and is offered by services such as Google Mail.

As the name suggests, it uses two ways to check whether it's the true account holder logging into the online account. The two sources of verification usually combine the primary way of logging in via a web browser with a secondary source, which could be your smartphone. The service you're logging into could either send an SMS with a unique code to the stored number in the account, which you'll need to type into a special field in the web browser to verify it's you. Or it might send a push notification asking if you're trying to log in, where you can say yes or no.

Should you use different passwords for different logins?

Yes.

Should I change my passwords periodically and if so, how often?

No. That used to be the advice, but we now know that people tend to cycle increasingly weak passwords if they're forced to change them regularly. Best practice now is to have a strong password and only change it if you think it's been compromised in some way.

Is there a safe way to store my passwords?

Yes - a password manager. That's software that stores your passwords safely - usually by encrypting them - and offers other functions such as generating random passwords, filling them in on websites or the ability to add secure notes. I use LastPass, but others are available.

Browsers will store passwords for you, but malware that can steal them exists, so be aware if you do decide to use your browser's password manager that your passwords are potentially at risk.

If you've got an Apple computer, you could use its Keychain app, which is a good, secure way to store passwords. You can set that up to store your passwords securely in the cloud so that you can access them from other Apple devices.

Some antivirus packages also offer password managers, which are a good option. Be aware, though, that if you change to another antivirus package you might not be able to export your passwords from your old software.

We've also seen people keep a notebook of their passwords. Some people mock that, but a notebook of good passwords is better than using the same weak password on every website. Just make sure if you do decide to use a notebook that you lock it away in a drawer if other people have access to your home.

Should I give my passwords out over the phone if I'm asked?

No, never. Nobody reputable or legitimate will ever ask you for your full password, either over the phone, in an email or even in a face to face conversation.

Your bank or utilities provider may ask for certain characters of your password, for example, but that's it.