In my opinion, the best film about hacking is not, as you might presume, the 1995 film Hackers but the 1992 Robert Redford film Sneakers. Amongst other lines, it has Stephen Tobolowsky uttering the phrase “My voice is my passport, verify me”.
What’s excellent about the film is that, even for its time, it doesn’t lean into science fiction (with the exception of a voice-controlled door). It uses social engineering to get a senior, but well-meaning, engineer to hand over their password to the facility – in this case, a recording of their voice.
We don’t allow either Hollywood blockbusters or science fiction to influence our analysis of computer security. But we do dream of a future without passwords – where trust between devices can be established, authentication can be attested, and identity becomes truly just something you are, not something you can pretend to be.
We aren’t quite at that point yet. Instead, to keep your data safe there are three things you need: a strong password, multiple different ones for each login, and a password manager to store all of them.
But why do we use typed passwords?
Initially, we had ruled out the idea of using our voice as a password. It seemed too risky and far-fetched.
And yet here we are in an era of Alexa and Siri, where voice commands certainly do seem to be working – put my lights on, change the radio, etc. But when it comes to access and tasks that require authentication, that’s a different story.
Face identification and biometric identification are getting better. But for a lot of applications and websites, the authentication is still remote. Of course, you know who you are, but how does a computer? When it comes to this, typed passwords still win out.
Passwords should be unguessable
The first rule of setting a password is that it should be unguessable. By unguessable, that also means by people who know things about you.
It’s pretty easy for a stranger to work out your birthday, perhaps how many children you have or your pet's name. All this information is normally shared across social media, and so, makes passwords related to those easier to guess.
The problem with using random numbers and letters – which, as you guessed are more unguessable – is that they are also more difficult to remember. When it comes to a strong, unguessable password, one way to do it is to pick three or four unconnected words and a number.
When it comes to remembering it, there is a technique for that too. The easiest way is to think of a few items, objects, or feelings, and then work that into a little story. So I might, for instance, think of my favourite book (Harry Potter), my favourite band (Coldplay), a town I drove through recently (Wroxham), and an emotion. Then, I put those words into my password with a number, for added security.
And to remember it:
“I nipped to ROYS of Wroxham to buy a WAND for the fancy dress party. At the party, they played YELLOW by Coldplay, and it made me HAPPY”
Make sure you have multiple strong passwords
Now that you have a strong password, you need more than just one. Unique passwords for every site are the way forward, but that puts the difficulty on you to remember a lot of passwords.
We strongly recommend the use of a password manager – there are several good reputable ones online that you can install into your browser. These places can help generate and remember individual passwords for your different websites, prefilling them, as well as spotting if your passwords have ever appeared on ‘breach lists’ and recommending when you should change a password.
Just remember to put a really good password on the password manager, and consider upgrading that login to some form of Multi-Factor Authentication (MFA) as well.
Doing this will not stop an individual website from being hacked – that's out of your control. But it will stop that hack from allowing these people from accessing your other information and more sensitive sites.
How do passwords get ‘hacked’
There are two main ways passwords get hacked. The first is that they’re either not very strong passwords. The second is through a data breach.
When you type your username and password into a website, the remote server does a calculation as to whether the password was right or not. Usually, well-developed websites don’t actually store the password, but instead the ‘fingerprint’ of it (called a secure hash). This allows it to be tested against a login to know if it was right or not.
However, some websites don’t do this, and instead, store the actual original passwords. There is no easy way of telling from the outside whether a website is ‘good or not’, but often developers who don’t follow this guidance make other mistakes, which leads to ‘actors’ (the fancy word we in the industry use to mean bad guys), gaining access, and getting copies of your password.
Once they have access to passwords, they can then log in as you, or as admins, make changes, purchases or whatever else that website allows them to do. That’s why it’s so important to have strong passwords and lots of them across all your accounts, so you can minimise the access these bad actors could have.
Remember, a strong password should be something that is not easy to guess, made up of words, names, numbers and special characters. You should have a different password for each login you have. But, to make it easier for you, use a password manager that can do the heavy lifting of remembering all of them.