Even in a world of face unlocking and fingerprint scanning, we still haven’t escaped the password just yet. They’re still a necessity and they’re still annoying to remember. There are now numerous browser features, third-party tools, and even hardware dongles designed to help keep your login credentials safe and secure. Here’s how to make sure you’re doing passwords right in 2018.
As we’ve explained before, the best passwords are impossible to forget but very difficult to guess, even for someone who knows your dog’s birthday and the name of the first street you lived on. Keep them long, use a mixture of characters, and don’t repeat the same password across multiple accounts (otherwise your entire digital identity could be unlocked in one fell swoop).
Most experts now recommend using a passphrase if you must come up with your own passwords, which means a random collection of words, interspersed with special characters and numbers. Trying to remember a passphrase for every single account isn’t easy though—which is why you need to enlist some help.
Modern-day browsers can not only save your passwords for you—they can recommend new, secure passwords whenever you need to create a new one, and can even warn you when you’re using the same password across multiple accounts.
Case in point: Safari in macOS Mojave. From the Safari menu, choose Preferences, then open the Autofill tab and put a tick next to Usernames and passwords. Click the associated Edit button to see all the passwords Safari has saved so far—you’ll see orange exclamation points next to the accounts that don’t have a unique password, so you might want to get those changed.
If you find yourself on a new sign up page somewhere on the web, you’ll see Safari puts a key icon into the password box. Click this, then pick Suggest New Password to have the browser suggest a password that’s longer and stronger than anything your feeble brain can come up with. If you try entering your own password, Safari will rate its strength.
Safari will typically throw up a load of meaningless characters and numbers, but because it’s doing all the remembering for you, it doesn’t really matter what it is—you just need to accept it and move on.
The latest version of Chrome now does a similar job. You need to have connected a Google account and be syncing all your information to it first—check this by going to Settings from the app menu—and then when you click inside a password box you’ll see a Suggest Strong Password option you can use (if it doesn’t appear, right-click inside the password box and pick Generate password).
As with Safari, it doesn’t really matter what the password is, because Chrome’s going to remember it for you. As yet, the same password-generating features haven’t found their way to other browsers like Mozilla Firefox or Microsoft Edge, but they’ll certainly remember and sync your passwords for you.
A multitude of password managers will do the same job of generating and remembering passwords for you as a browser, but not just on the web and instead across your mobile devices too. They can even be used to store security information that you don’t have to tap into a phone or a laptop—like a bank PIN code, for instance.
These password managers typically install themselves as browser extensions, on the watch for any time a password needs creating or entering, with everything protected by one master password (which you should make sure is as strong as possible). In the case of LastPass, for example, click the browser extension button then Generate Secure Password to create a new password: You even get to set the parameters (like password length), if they need to be specific.
We won’t dive into a full password manager comparison right here, but we’ve found the likes of 1Password, Dashlane, and Keeper to be just as capable as LastPass. Even though browsers are now adding some of the same functionality, a dedicated app often brings with it some useful extras, like secure and protected file storage.
We’ve said it before, and we’ll say it again: Enable two-factor authentication on all the accounts you can. It means that even if someone should get hold of your username and password, that person still can’t access your account—they still need an extra code (typically sent to your phone).
Two-factor authentication isn’t foolproof—every service still needs a backup option if you should lose access to your phone, for example—but having it switched on is much, much better than having it switched off. Once a phone or computer has been recognized, you don’t have to use 2FA every time on that particular device.
Most apps and services deploy two-factor authentication in more or less the same way. For Instagram, for example, you can switch it on here in your web browser: Click Enable Two-Factor Authentication, then follow the prompts on screen. You can also switch two-factor on for your Apple, Google, Microsoft, Facebook, and Twitter accounts, and many more besides.
Some of the biggest, most security-conscious companies on the planet supply their employees with security keys—including Google—because it’s a very useful extra layer of protection on top of your super-strong password. It works like two-factor authentication because another ‘credential’ is required for account access.
However, whereas texted codes can be intercepted by determined hackers, a 2FA dongle is something physical you have on your person. Someone would have to know your username and password and steal your security key device, in order to gain access to your account on a computer you haven’t logged into before.
These keys can work via NFC/Bluetooth or a USB port to prove you are who you say you are, but only some accounts support the tech (Facebook, Dropbox, Google, for example). You can buy keys straight from Google, or pick up alternatives for around $50. Look for the FIDO U2F standard, which is the most commonly used one.
Whether you’re keeping all your passwords in a dedicated password manager tool or just relying on your browser, you then need to make sure access to that program is as secure as possible—so that means protecting your computer with a password for every user account, and protecting the lock screen on your phone too.
Your master password for your laptop or your password manager needs to be long, complicated, completely unguessable and not written down anywhere—otherwise someone else could get straight into all your account credentials at once (see Settings then Passwords in Chrome for a full list of your login details, for example).
With all the password management and account protection options now open to you—many of them free to use—there’s no excuse for not spending a few minutes to get your accounts in order. And if there are accounts or apps you’ve not used in a long while, close them down and disconnect them from the apps you do use.