In April 2019, the United Kingdom’s National Cyber Security Centre (NCSC) in collaboration with Troy Hunt, an Australian Microsoft Regional Director and Microsoft Most Valuable Professional awardee for Developer Security, published a list of the top 100,000 most-used passwords on the internet.

The list came with a warning: “If you see a password that you use in this list you should change it immediately.” At the top of the list, the world’s most used password: 123456. According to statistics on data breaches that Hunt has collected, that password has been used about 23 million times.

Whether through hacked social media accounts, email accounts, or phishing scams, data breaches can have catastrophic consequences for both individual users as well as organisations

Besides being a sought-after speaker and authority on cyber security, Hunt is also the creator of the website Have I Been Pwned (HIBP). On the site, users can type in their email addresses to find out if they have been compromised as part of a past data breach.

For example, we tested it and found that this writer’s personal email address of the past decade had been compromised in at least 11 data breaches in the past eight years. This was primarily due to hacked sites where it had been used to subscribe, including the 2013 Adobe data breach where 153 million accounts were compromised, the 2013 Tumblr breach where more than 65 million were exposed, and the more recent 2018 breach of the MyFitnesspal app where 144 million usernames and passwords were exposed.

As illustrated by the examples above, often unknown to individual users unless they check on sites such as HIBP, not all data breaches will result in adverse effects for the victims. However, as we have seen repeatedly, whether through hacked social media accounts, email accounts, or phishing scams, data breaches can have catastrophic consequences for both individual users as well as organisations. Yet there are fairly simple steps we can all take to protect ourselves from individual attacks as well as mass-scale data breaches of the websites and apps we subscribe to.

Multi-factor authentication

The NCSC and other cyber security organisations stress the importance of multi-factor authentication for all online accounts, especially email. This is when logging in to your accounts, especially on devices other than your own, requires both the password as well as either a code texted to your cell number, or the use of an authenticator app.

“The bad guys have got really good at compromising passwords and they have a lot of tools at their disposal. Using a separate password for every service protects you against some of these, but not all, and it’s impossible for someone to do this across all their passwords without help of some kind. Multi-factor authentication (MFA), on the other hand, buys a lot of additional security for relatively little pain, and this is always going to be a good thing,” write the NCSC.

The use of at least two-factor authentication is widely available on some of the most used services like Gmail and social media sites such as Facebook, Twitter, Instagram and WhatsApp. However, it is often not the default setting. Users have to go to security settings on the app to set it up, which we found to usually take less than a minute to set up.

Avoid using the same password or version of the same password

It is important to create a strong password for each of your accounts. One way the NCSC recommends is by combining three random words. Numbers and symbols can also be used with the password:

“Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team which are easy for people to guess. Cyber criminals are very smart and know many of the simple substitutions we use such as ‘Pa55word!’ which utilises symbols to replace letters.”

In addition, they recommend never using information such as your current partner’s name, other family members’ name, pet names, place of birth, or favourite holiday.

Keep your software updated

Another important recommendation is to always keep your apps up to date, as these updates often come with security updates in response to previous attempts by cyber criminals. Do not ignore software update notifications on your devices.

Use a password manager

According to research from password manager software company NordPass, the average user has to remember some 70-80 passwords for different accounts. Even if that number sounds high, and perhaps between your bank accounts, email, streaming subscriptions and social media, you have only 20 accounts that require passwords, that is still a lot of passwords to remember, especially if they are all unique and strong. One solution recommended by the likes of Troy Hunt and other cyber security organisations is the use of a password manager.

“Password managers don’t have to be perfect, they just have to be better than not having one,” writes Hunt.

Good password managers will generate as well as store strong passwords for you. This means that you only have to remember one password, the one you use for the password manager. However, even with that password, it is important to make it a strong one. Based on research and testing, below are some of our recommended password managers. All of them only store encrypted data and do not have your encryption key. This means that they effectively do not store your password, so even if they were compromised, hackers would only have access to the encrypted data, and not your password.

Password managers do not necessarily come as one size fits all. They have different features depending on your needs. Some features are free while some are paid. While we have only listed three below that cover a fairly wide range of needs, there are numerous others that might be worth checking out for you:

LastPass

Lastpass is one of the most popular password managers out there, and will work across desktop as well as mobile devices. They offer a free plan, a premium plan, as well as a family plan for up to six users. In addition, the premium and family plans offer one gig of encrypted storage for sensitive documents, and priority tech support among other features.

Pricing: Free, and $36 a year for the premium version. One month free trial available.

App store rating out of 5: 4.6 on Apple App store, and 4.4 on Google Play.

1Password

In addition to being a password manager, 1Password also works as an authentication app for additional security. It will also work across your devices, both desktop and mobile. It is not quite as slick looking as some others on this list, and while it does have a free one-month trial, there is no free option. 1Password features individual as well as family plans. 

Pricing: $35.88-$59.88 per year. Alternatively, $3.99-$6.99 per month. One month free trial available.

App store rating out of 5: 4.4 on Apple App store, and 4.2 on Google Play.

Dashlane

Although more expensive, in addition to the standard password manager features, Dashlane offers features such as Site Breach Alerts, which is the constant monitoring of the web for leaked or stolen personal data, and then alerting you when your data is compromised. It also features VPN functionality.

Pricing: Free, $39.99 per year for individual plan, and $59.99 per year for family plan.

App store rating out of 5: 4.7 on Apple App store, and 4.6 on Google Play.

The following are also definitely worth checking out: Bitwarden, Keeper, Logmeonce, Roboform, NordPass, Myki. DM/ ML