How To Make Your Passwords Bullet Proof Against Hackers

Staying on top of password management requires being organised and also introduces more friction into your login experience, which is probably why many of us put off doing something about it. But hacked passwords open the door for criminals to steal your identity—which can lead to serious financial strife and stress.

Cybersecurity expert, executive director at consultancy KordaMentha and current cyber security ambassador for the NSW Government, Tony Vizza, said cyber criminals exploit people’s accounts through weak passwords, which people often re-use across multiple accounts for convenience.

“If one of these passwords is hacked, it means the criminal can use that password on additional services an individual may have, and potentially gain access to other identifying information in those accounts.”

Vizza said using a password manager was worthwhile, and the available software solutions had come a long way in recent years.

“A password generator or manager app is a great way to make sure you have unique, strong passwords for every user account. It will save you a lot of time and effort.

“Consider instances when you may forget a password and must go through the process of changing your password. It’s time consuming and difficult.”

A password manager can help you achieve good password protocols, which generally includes:

• Ensuring every log-in has a unique password. That way, if one password is compromised by scammers, only one account is affected. Credential stuffing—where fraudsters apply stolen password details across multiple sites using automated bots—is a common way accounts get hacked, including around 35,000 PayPal users in late 2022.
• Creating complex passwords that include numbers, letters and characters, a mix of uppercase and lowercase, and are at least 14-16, characters long. Use unusual words and never anything personal (like your dog’s name). You might also explore the use of passphrases, which are a string of four or more random words that may be easier to remember.
• Using multi-factor or two-factor authentication. For instance, when you get sent a unique one-time code (usually via email or text), or use a biometric scan, in addition to your log-in credentials. You might also consider using a security key—an external device you plug into your computer for authentication.
• Not sharing your password details with anyone you can’t trust 100%. Sharing a password with a spouse who needs to access your bank account on your behalf is a very different scenario to sharing passwords with a random person who calls you (even if they claim to be from your bank).
• Monitoring and updating passwords by checking sites like Have I Been Pwned to see if your email addresses and passwords have been included in known data breaches, and then make sure you update details for any affected accounts.
• Being aware of, and alert to, scams. A common way scammers get access to your accounts or devices is through emails, texts and calls where they impersonate legitimate services you’ve signed up for and manipulate you into handing over log-in credentials. Be wary of these.

Vizza warns: “Weak passwords usually contain a dictionary word, which means cyber criminals can use tools that will try different words repeatedly until they find the right one. These tools are so powerful it can take only a matter of seconds before a password is ‘brute forced’.”

“It’s important to consider how much risk is associated with each of your accounts. Accounts that store sensitive information like personal or credit card details should have a strong unique password for each account. Critically, two-factor authentication should be enabled on such accounts.”

Do Passwords Have a Future?

Passkeys offer ‘passwordless’ authentication via secure, cryptographic keys stored on devices, such as your desktop computer, laptop, mobile phone, and public keys shared with websites and apps.

Essentially, a passkey makes it possible for you to log-in to online accounts using the same PIN, password or biometric credential (fingerprint or facial scan) you use to unlock your phone or computer. Apple iPhones enable passkey technology and Google began rolling out passkeys to user accounts in May 2023, but passwords won’t disappear overnight.

“Passwords, pass phrases and passkeys are all barriers to entry and we are likely to have these in one form or another for some time,” according to Vizza.

“The most significant change in the world of identity and access management is the increasing prevalence of two-factor authentication, which is likely to become the minimum standard and is recommended in most cybersecurity industry frameworks.”

Creating and remembering strong, unique passwords for the hundreds of websites, accounts or services you use or subscribe to is a tall order. A password manager application helps you create strong, randomly generated passwords for every account—as well as making it easier to retrieve passwords digitally as you need them.

Password manager applications work by providing a secure platform to generate and store all of your usernames and passwords, which can be retrieved as needed by entering one master password. This way, you only need to worry about remembering one strong password to be in control of every password you’ll need.

Password manager app features to look for include:

• Random password generator to create strong, unique passwords.
• Secure storage of an unlimited number of passwords, credit card numbers, bank accounts.
• Optional 2FA/multi-factor authentication in addition to master password.
• Family sharing permissions for shared accounts and emergency access.
• Synching of stored passwords across all your devices.
• Auto-filling of form fields when you’re logging in online.

Some password managers also include features designed to help you identify problematic passwords (too weak), or ones likely to have been breached, so you can change them and proactively manage your personal cybersecurity.

Like an app, you’ll need to sign up. There are free versions and trials, but to unlock all the features you can expect to pay around $40 to $100 per year depending on how many users need access.

Once you’ve installed an app, you’ll need to:

• Create a strong and memorable master password;
• Enable 2FA if using;
• Manually input account username and password details for all of the log-ins you want to protect; and
• Create sharing permissions within your family for commonly shared passwords.

One of the biggest password manager apps, LastPass, suffered a security breach revealed in late 2022 that resulted in data being stolen. Such incidents are rare, but concerning. Password managers apply sophisticated security measures including encryption and zero-trust models.

“As you can imagine, given the nature of these apps, security is front and centre, so these applications encrypt the contents, including your login and password details,” Vizza said.

“The app works like a locked safe for your data. In the unlikely event that the safe is hacked, as happened with LastPass, criminals may gain access to your data, but because that data is encrypted, it’s of no use to them without the decryption key.”

It would be naive to think these apps aren’t a big, flashing target for fraudsters. However, that also means that security is at the heart of how they’re designed and run. Chances are, using such apps is significantly safer than your current efforts to protect your passwords.

Disadvantages of Using a Password Manager

“A potential downside of using a password manager is that it functions as a central location for all your passwords. As such, it represents a prime target for cyber criminals and should be considered a highly sensitive application due to the information it contains,” according to Vizza.

“This means that requires strong protection set up by the user to access. For example, this could be through facial recognition or by using multi-factor authentication.”

Additionally, while password managers are not complex to use, you still need to adopt good habits around using its features to generate strong passwords when you create new accounts, updating passwords regularly, and not sharing your master password.

Are password managers safer than Google Chrome?

Vizza said relying on the convenience of a password stored in your browser might be fine for ‘non-sensitive’ apps.

“However, it’s important to remember that access to the device may not be. If your laptop is lost or stolen, and your browser has all your passwords saved, the criminal will gain easy access to your web-accessed data and accounts simply by gaining access to your browser.”

“Many people choose to balance convenience with the level of risk posed by individual accounts by allowing the browser to remember passwords for low risk accounts, but not high risk accounts such as bank account or government logins, and services that store sensitive data about an individual,” he said.

“For organisations, this is an area where personal and professional use of devices can collide. People using a corporate laptop to access personal accounts can be hacked on a personal account and unwittingly bring that risk into the professional network.”

If you’re serious about beefing up your online safety with a password manager, take some time to learn about different products on the market.

“If you do your research into the best commercial applications, their reputations, and the level of security they offer, you can make a good and reasonably informed decision about which one to use,” Vizza recommends.

When you’re comparing different apps consider:

• Are you comfortable with the security measures the app takes to protect your data?
• Does it have a good track record: any prior breaches? What was the impact on users?
• Does it have all the features you need and a good user interface?
• Does it work on all devices you use, and sync data between devices?

Two apps recently recommended by The New York Times‘ product testing and review site are 1Password and Bitwarden.