Hopefully one day soon passwords will become obsolete, but until then they're the main system we use to identify ourselves. As criminals become bolder and computers more powerful, advice about passwords has become more complex.
The three golden rules are:
- Make your password long and complicated
- Use a different password for every system
- Use two-factor authentication wherever you can
In my experience most people do a reasonable job of the first rule, a few follow the second, and only IT geeks even understand what the third rule means.
Today I'm going to guide you through all three. They're not as complicated as they look and by the end, you'll never have to type in or remember a password ever again.
Generating and managing strong, unique passwords
The two problems for most people are creating complicated passwords and remembering them, which is why everyone uses their oldest child's name and birthday as their password for everything. You can pay for secure password management systems if you're managing thousands of passwords across a team, but if it's just for you then there's a much simpler way using Google Chrome.
Chrome has a built-in password manager that auto-fills your passwords across your devices and also suggests strong passwords when you sign up on a new website. Simply sign in with your Google account and ensure that sync is turned on.
Now when you sign into a website, a pop-up box in the top right will ask if you want to save your password:
Click Save and it will be stored in Chrome's password manager. The next time you come to the website the login boxes will have a blue background and your details pre-filled:
The next step is a little more involved because you need to set unique passwords for every account you already have. Make a habit of every time you sign in to a website where you haven't yet changed your password, go to their account settings page and reset it to something complicated (bookmark this page which generates strong passwords).
Then when you submit the password change, Chrome will pop up a message asking if you want to update your password like this:
Finally, when you sign up for an account at a new website, click into the password field and Chrome should suggest a password and store it automatically, so you don't need to remember it.
Ta-da! Steps one and two complete. Have a cup of tea and a biscuit, and come back in a minute to read about two-factor authentication.
Two-factor authentication
If you're going to use your Google account to store all your passwords, you need to make sure that your Google account itself is secure, by setting a strong password and enabling two-factor authentication.
Two-factor authentication (also called 2FA) means using something you know and something you have to log into a system. A great example is using a cash machine: you need to have the card and know the PIN to make money come out of the hole. Most major websites now offer a digital version of this, either using free apps like Google Authenticator or by sending a code to your phone. The Authenticator app gives you a passcode that changes periodically, which proves to the website that you've got your phone in your hand.
Here's how to get started:
1. Install the Authenticator app for Android or iPhone.
2. Go to your favourite website and find the security section about two-factor authentication. Here are links for some of the larger sites:
- Google - do this one first!
- Amazon UK
- Microsoft
- Paypal
- Bing (just kidding, no-one uses Bing)
3. Open the Authenticator app, click the big red add button at the bottom, then hit Scan a barcode
4. Hold your camera up to the QR code on the website, as shown in the example below from the Amazon website:
4. The app will add a new entry for this website and generate a new six-digit code every minute. Enter the code generated into the verification field on the website to enable two-factor authentication on your account, and you're done.
Other kinds of two-factor authentication
Some websites offer a different kind of two-factor authentication where they send you a text message each time you log in. This is fine but relies on you having a mobile signal when you log in. Here are links to some websites for setting that up:
Summary
That wasn't so complicated, was it? Good security online is way more important than it used to be, and it's also a lot easier to set up. If you're unsure, try setting up one or two websites with your browser's password manager and enabling two-factor authentication. After a couple of weeks, you'll see the benefit!