Strong password practices for financial safety - World Password Day

The first Thursday in May marks World Password Day (May 1st this year). This occasion serves as an important reminder to evaluate the security protecting our online accounts, particularly those linked to our finances.

Managing numerous passwords can be challenging, often leading to the temptation of using easily memorable or repeated credentials. However, for online banking and financial services, having weak or reused passwords can significantly increase vulnerability to unauthorised access.

Fortunately, enhancing your online security need not be overly complex. Drawing upon the latest guidance from the UK’s National Cyber Security Centre (NCSC), the government's authority on cyber security, this article outlines practical and effective measures to better protect your financial accounts online.

Why is it important to have a strong password?

Your online banking login protects access to your sensitive information, including account details, transaction history, and the ability to transfer funds. Should a cybercriminal gain access to your login credentials through a compromised password, the consequences can be severe, including unauthorised financial transactions and potential identity theft.

Alarmingly, the NCSC highlights that millions continue to use highly common passwords like "123456", which can often be compromised almost instantly by attackers. Furthermore, utilising easily guessable information derived from personal details (such as birthdays, pet names, or favourite sports teams) for passwords is strongly advised against.

What makes a strong password? 

Previous recommendations often focused on creating complex combinations of uppercase and lowercase letters, numbers, and symbols. Complex passwords are often hard to remember, leading to unsafe practices like writing them down. Additionally, many people use predictable substitutions when creating passwords, making them easy for cybercriminals to guess.

The NCSC now advocates for a simpler yet robust method: creating passwords using three random words.

Strong password examples include OceanDeskPicture or SunnyLadderWindow.

The effectiveness of this approach stems from:

1. Length: Using three random words when creating a password will make it much longer. This significantly improves security and makes it far less likely to be guessed by criminals using brute-force methods.
2. Unpredictability: A random combination of unrelated words is significantly harder for automated password-cracking tools to guess compared to common phrases or dictionary words.
3. Memorability: This approach makes it far easier for people to remember their passwords than complicated, random strings of characters, while still maintaining a strong level of security.

For enhanced security, you might consider incorporating numbers or symbols into your three random words (e.g., Ocean7Desk!Picture), while still prioritising the core principle of random, unrelated word selection.

Secure password best practices: Key recommendations

Good password practices:

• Employ the "Three Random Words" method: Especially for critical accounts like online banking and primary email.
• Ensure passwords are unique: Use a different, strong password for each important online service. This contains the damage if one account is ever compromised.
• Utilise a password manager: Consider using these applications (many reputable options exist, including free versions and those built into modern web browsers like Chrome, Edge, and Safari) to generate and securely store unique, complex passwords. You typically only need to remember one strong 'master' password for the manager itself (using three random words here is also a good strategy).
• Enable Two-Factor Authentication (2FA): This provides a crucial additional security layer (detailed below).

Bad password practices:

• Reuse passwords: Particularly across email, financial services, and other sensitive accounts.
• Use personal information: Avoid easily obtainable details like names, dates of birth, addresses, or family/pet names.
• Use obvious sequences or common words: Such as "123456", "qwerty", or the word "password".
• Make simple character substitutions: Attackers' tools routinely check for common swaps like 'o' to '0' or 's' to '$'.
• Record passwords in easily discoverable locations: Avoid sticky notes or unsecured digital files. A secure password manager negates this need for most passwords.

The website 'Have I Been Pwned?' allows you to check if your email address has been compromised in a data breach. If your email is found, change the passwords for the affected service and any other accounts using the same or similar passwords.

The role of Two-Factor Authentication (2FA)

Implementing an additional layer of security beyond the password is very important for your online security. Even strong passwords can potentially be compromised, for instance, through large-scale data breaches at organisations you interact with. Two-Factor Authentication (2FA) – also referred to as Multi-Factor Authentication (MFA) or 2-Step Verification (2SV) helps to minimise this risk.

2FA requires verification from two distinct factors before granting account access. This typically involves:

1. Your password (something you know).
2. A second factor (something you have), such as:
   • A code sent via SMS to your registered mobile phone.
   • A time-sensitive code generated by an authenticator application (e.g., Google Authenticator, Microsoft Authenticator).
   • Approval via a notification sent to your trusted mobile device.
   • Use of a physical security device, like a bank-issued card reader or a USB security key.

The significance of 2FA lies in its ability to prevent unauthorised access even if your password becomes known to an attacker, as they would still lack the second required authentication factor. The NCSC strongly advises enabling 2FA on all critical online accounts, particularly email and financial services.

While many banking applications mandate 2FA for certain operations, it's important to verify its activation across your other essential online services (e.g., primary email, major retail accounts). Setup typically takes only a few minutes within the account's security settings and provides an added layer of protection.

Recommended actions for World Password Day

Consider taking the following steps this World Password Day to review and improve your account security:

1. Evaluate financial account passwords: Ensure they are strong, unique, and not used elsewhere. If necessary, update them using the Three Random Words approach.
2. Secure your primary email account: Your primary email account is often pivotal for password recovery on other services. Confirm it is protected by a unique, strong password and that 2FA is enabled.
3. Activate 2FA universally: Review other important online accounts (e.g., main shopping sites, social media platforms) and enable 2FA wherever the option is available.
4. Check for any potential breaches: The website Have I Been Pwned? allows you to check if your email address has been compromised in a data breach. If your email is found, change the passwords using these good password practices for the affected service and any other accounts using more secure passwords.

Implementing these straightforward measures enhances your control over your online financial security. While individual steps may seem basic, their combined effect significantly strengthens your defences against prevalent online threats and contributes to safer online financial management.