How to pick the perfect scam-proof password
Your birthday is July 7, 1995. Is that correct?’ asks Ross Martin, head of digital safety at Barclays.
I cannot look him in the eyes as I shamefully nod. It is Wednesday morning and I am meeting Mr Martin for the first time at Barclays’ head office in London.
He has just reeled off a thorough profile of me, all of which he has gleaned simply by searching my name online.
Memory test: The average person now has an astonishing 100 passwords to remember, according to a study by tech firm NordPass
We have covered everything from my twin brother to my post-university gap year in Vietnam — and I now feel he has well and truly made his point.
‘Any information scammers find out about you can be invaluable,’ Mr Martin tells me.
Oversharing on public social media sites is becoming a huge problem because it can help criminals guess people’s logins.
The Barlcays team have seen cases where victims posted pictures of their dogs online with captions revealing their pet’s name.
Fraudsters then correctly guessed that the name forms part of their password, and hacked into their account.
So while they may seem like an irritating inconvenience, passwords are a goldmine for cyber criminals — and a growing target.
In the second half of 2021, one in eight password reset attempts — where users seek to change their login after they have forgotten it — were made by scammers trying to take over someone’s account.
This was up from one in 50 attempts in the first half of 2020, according to figures from UK Finance.
If crooks gain access to just one of your online accounts, it puts you at risk of identity fraud and means you are more likely to fall for impersonation scams.
And because many people use the same password for multiple accounts, if criminals gain access to one, more could be at risk.
Pratik Choudhary, of data analytics firm Lexis Nexis, says: ‘Some people may not check certain accounts, such as their online mobile account, as often as others.
Attacks: In the second half of 2021, one in eight password reset attempts – where users seek to change their password after they have forgotten it – were made by scammers
‘This means a fraudster may hack in and steal personal details before resetting the password without the victim realising.’
Yet the average person now has an astonishing 100 passwords to remember, according to a study by tech firm NordPass.
So just how do you create the perfect scammer-proof password?
Here, Money Mail asks the experts for their tips when it comes to staying safe online…
Don’t overshare
The message from Mr Martin, of Barclays, is clear: privatise your social media accounts.
He says: ‘People need to be constantly checking how vulnerable they are making themselves online.
‘Scammers are building a picture of who you are, and everything you share can be useful to them.’
If you do insist on having public-facing profiles, make sure you do not use any personal details that form part of a password.
Variety is key
For Paul Davis, director of fraud prevention at TSB, the ultimate error is duplicating passwords.
He says: ‘In an ideal world, you would have a completely random set of numbers and letters for your password. This would be totally different for every account you own and you would change them every 30 days.’
Critical security: While they may seem like an irritating inconvenience, passwords are a goldmine for cyber criminals – and a growing target
Of course, that’s not practical. So he recommends ensuring that, at the very least, the password you use for your online banking is unique and difficult to guess, as this it the most valuable.
Meanwhile, Roman Faithfull, cyber threat intelligence analyst at protection company Digital Shadows, says email log-ins are also high-risk because this can be the ‘key to your digital kingdom’, allowing fraudsters to reset passwords for your other accounts.
Additionally, it is good practice to add a ‘special character’ — such as an exclamation point or a hashtag — to your passwords.
Mr Faithfull says this adds approximately 90 minutes to the amount of time a criminal needs to crack it.
Every year NordPass releases the 200 most-used passwords. The top ten invariably includes a variation of ‘123456’, and the word ‘password’ is a regular feature.
Generally, it is a good idea to use a word that’s not in the dictionary. Including a phrase — a favourite quote or song lyric — can also be easy for you to remember and hard for scammers to guess.
Use a manager
Whenever we ask fraud experts how they keep track of their own passwords, they invariably say they use a password manager.
These services generate ironclad passwords and automatically store them on your device or browser so you don’t need to remember them yourself.
When you come to log in to a site, your computer will then auto-fill the form.
Threat: If crooks gain access to just one of your online accounts, it puts you at risk of identity fraud and means you are more likely to fall for impersonation scams
Many providers offer a basic management service for free, including Norton Password Manager and NordPass.
If you use Google Chrome as your main internet browser, it also offers a free, automatic password manager. More advanced services, which charge a small fee, will help you keep track of passwords across all browsers and devices.
It means you can log into accounts using your laptop, phone and tablet without having to input the details yourself.
Paid-for services include 1password, which costs £2.48 per month, Dashlane, £3.30 a month, and LastPass, £2.60 a month.
Write it down
In the absence of a password manager, good, old-fashioned pen and paper can be useful.
This has been discouraged in the past in case your precious list falls into the wrong hands or your home is burgled.
But Mr Davis says: ‘It wouldn’t be a completely crazy idea to write down your passwords and keep them in a safe.
‘I am not going to advise that everyone does it. But if writing it down means you will use different passwords for different sites, then that is a good thing.’
Future proof
Increasing numbers of financial service firms are relying on more than just passwords.
Tech giants Google, Apple and Microsoft have all announced a commitment to a ‘passwordless future’ as the likes of facial recognition technology and fingerprint scanning could soon render written log-ins obsolete.
Already many websites and apps will no longer accept only a password as evidence of your identity.
Instead, they ask for ‘two-factor authentication’, which means you also need to approve the log-in by another means — such as entering a code sent to your phone.
Many banks, including TSB, are also looking at behavioural analytics. On higher risk transactions, they might monitor how quickly you type in your details and compare this with your usual typing speed to ensure it’s really you.
Mr Davis adds: ‘I don’t think passwords will ever completely disappear. They will still be used for low-risk online shopping websites. But certainly, financial services will start to factor in more than just a password to complete transactions.’