Features 10.02.2023

Living in ‘Forgot Password’ Hell? Here’s How to Escape

Alex Meehan looks at ways to crack the password conundrum

The average person is expected to have nearly one hundred unique and complex passwords swimming about in their head, ready to be recalled and input whenever needed. Rain man aside, it’s just not feasible. Alex Meehan looks at ways to crack the password conundrum

Have you seen Michael McIntyre’s comedy sketch about passwords? If you haven’t, it’s well worth a watch; who knew cybersecurity could be so hilarious? As is often the case with observational comedy, it’s funny because it’s true. He details the evolution of most people’s password creation technique; how everyone started with one “special word”, and as websites began to require stronger passwords, the entire population obliged by first adding a capital letter, then the number one, and then an exclamation mark. Again, it’s funny because it’s true.

Surveys show most people use the same passwords for all their digital needs, recycling and reusing them in different apps, online shopping sites and work systems.

Research has shown that the average person has between 70 and 80 passwords to remember at any given time. So is it any wonder that many stop trying to create and remember unique passwords?

Tired passwords

Cybersecurity experts regularly publish reports saying that the most popular passwords continue to be ‘password’, ‘123456’, and ‘qwerty’. It’s crazy, but it’s true. There’s even a term for this phenomenon – password fatigue – and it has consequences.

In 2019, the UK’s National Cyber Security Centre (NCSC) published an analysis of the 100,000 most used passwords online, showing that a huge number of security breaches were fundamentally a consequence of easily-guessed passwords.

While people know that using long and complicated passwords – and changing them regularly – is the best way to keep their accounts safe online, the reality is that most just can’t, or don’t, do it. A LastPass survey in 2021 (based on 3,750 people across seven countries) found that 65% of people always or mostly use the same password across multiple accounts.

“Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band,” says Dr Ian Levy, technical director of the NCSC.

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Security experts recommend regularly changing passwords, using unique passwords for each service and using mitigation factors like two-factor authentication. But with the average person living more of their life online than ever before, it can be quite a challenge to do this.

“Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed” Dr Ian Levy

Enter the password manager. We’re cautious of the word ‘solution’ over-promising and underdelivering, but password managers are arguably just that. So how does it work? Think of it as software that follows you around the internet, remembering your passwords. These are recommended by the NCSC, ranging in sophistication depending on what you need them to do.

If you’re using a modern operating system on any reasonably recent laptop, tablet or smartphone, the odds are you already have one.

Built-in password management

How it works: Many tech providers offer built-in credential management with their products. For example, all Apple devices come complete with a Keychain Access app that stores passwords and account information for apps and websites to make them available on all devices logged into Apple’s iCloud system.

Pros: In addition to storing and mirroring passwords, Keychain can also suggest so-called ‘strong’ passwords that are eight or more characters long, including upper and lower case letters and at least one number. Similar systems exist for Android, Windows and other platforms, showing just how big an issue privacy and security is to consumers and businesses alike.

Cons: For many casual technology users, these systems can offer enough functionality to mitigate at least some of the risks involved in moving around the internet. However, people with more complex needs can find that these on their own aren’t enough.

Browser-based password management

How it works: Web browsers such as Google Chrome, Safari, Firefox and Opera all have their own password management functions built in. Every time you visit a new website that requires you to log in, these browsers will automatically offer to generate a random password and then save it for you.

Pros: The next time you visit, it’ll autofill the web form, so you don’t need to remember your login details. Also, if you use the same browser on your main computer and your mobile device, then details will be shared between the two.

Cons: For many casual technology users, these systems can offer enough functionality to mitigate at least some of the risks involved in moving around the internet. However, people with more complex needs can find that these on their own aren’t enough.

Also, passwords saved at the browser level aren’t accessible to other browsers you might want to use, adding a layer of complexity.

There’s a special place in hell for the ‘Forgot password’ process

Third-party password managers

How it works: If you already have access to free system-level built-in and free browser-based password managers, why look at a third-party option you’ll have to pay for? While these other solutions do a great job and will probably suffice for most people, there are some things they can’t do that third-party products can.

The big tech companies would prefer their customers only to use their products, but in reality, many people own and use multiple devices that cross platforms for work and personal use. For example, they use Windows PCs at work, Android smartphones for personal use and iPads at the weekend.

They have individual preferences, and only independently-made password managers can completely cover all their needs. A third-party password manager allows you to use one piece of software to make your passwords available across Mac, Android, Windows and iOS platforms, with all your information available in any place through the cloud.

Pros: It’s often worth paying a monthly fee to have access to a single password management platform that can work across all these and reduce your security headache. Additionally, third-party software will often do a lot more for the fee than just generate and remember passwords.

Good systems offer multi-factor authentication and security auditing, which means they will assess the quality of your passwords and make suggestions to improve them. They have resilient master-password protection to prevent you from getting locked out, and they keep track of online accounts you use to let you know if you haven’t used one in a while.
Dormant accounts are a security hazard and are best deleted if they’re not actively being used. Likewise, third-party systems often come with other useful functions, such as built-in virtual private network (VPN) functionality that can help mask your activities online from anyone trying to track them.

Crucially, they also have back-end staff dedicated to keeping their systems up to date and current. This means that if an app or service you have used at some time on the web is subject to a data breach, and your login credentials are compromised, you’ll be notified and will have the chance to change any exposed passwords.

Cons: You’ll have to pay. Although many are very reasonable.

Online security is a complex and growing area, much like technology and the internet in general, and as of right now, there is no perfect way to stay entirely safe. However, investing zero effort to improve your security profile will have consequences. Doing something is always better than doing nothing.

Our editor, Eleanor Dallaway, has another tip for secure passwords: If you can’t (or don’t want to) invest in a third-party password manager, an alternative methodology is to choose one reasonably complex memorable password – combining a word, upper-case-lower-case, and a number or special character – and then make it unique to each different account. You can do this by choosing a formula such as ‘add the first two letters of the account name in an upper case then lower case letter after the core password’, for example. To demonstrate, if your core password was T1tan1c1912* and you were registering an account with Amazon, your password would be ‘T1tan1c1912*Am’. “This ensures you have unique (but memorable) passwords for multiple accounts,” she says.


Latest articles

Be an insider. Sign up now!