Take control of your passwords – Who is using your account?

Many online services require you to log in using a username and password. The purpose of this login process is to monitor and limit the users of the service. The combination of username and password is used for user identification and authentication. Many services use email addresses as usernames, making them easy to guess. This is one of the reasons why you should take the time to come up with a good password that only you are aware of.

A password is simply a string of characters known only to you, the purpose of which is to prevent unauthorised access to your account. A good password is a string of characters that other people cannot guess or find out. Some online services allow you to freely set any kind of password you like, but many services impose requirements on password length and the range of characters that you can use so as to increase the security of the service. Long and unique passwords are better than short ones because they are more difficult to guess. 15 characters is long enough for many services. Since remembering long passwords can be difficult, you should preferably use passphrases instead of passwords.

Use a different password for each service. This way even if your password to a particular service is leaked, it cannot be used to access your other accounts. The email account that you use to log in to services and restore passwords should have an especially good password. Be sure to also protect this email account with multi-factor authentication. Some online services provide you with a temporary password when you create your account. You should always change this to a unique password of your own choosing as soon as possible.

If there is a service that you use very rarely, only once a year, for example, you can request a new password to be sent to your email every time you use it.

A good password:

• is long; a good rule of thumb is 15 characters
• preferably a phrase rather than a single word
• contains specials characters, such as %&//()=

Never use:

• lazy and easy passwords like your own name, cat123, qwerty, your date of birth
• the most common substitutions, such as i=1, 3=E.
• Never disclose your password to anyone.
• If you use a shared computer at a library, for example, be sure to delete your browsing history after you are done.

Multi-factor authentication means that your identity is confirmed using two or more authentication methods, or factors.  These can include:

• something that you know (a PIN, password, written or graphical security questions and answers)
• something that you own (using your mobile phone to receive a one-time code, such as Mobile ID)
• biometric information (such as your fingerprint or a picture of your iris).

The benefit of multi-factor authentication is that even if a criminal were to get a hold of your username and password, they cannot log in to your account without an additional authentication factor. According to Microsoft, using multi-factor authentication can prevent almost all account hijacking attempts (External link).

Any unusual login attempts are reported to the user. This allows the user to react quicker to unauthorised access and report that their account has fallen into the wrong hands. In the best case scenario, the user can intervene before their account is used for anything nefarious.

Password managers are pieces of software that help you create and store passwords. They allow you to quickly generate and save new passwords. This frees you from having to remember individual passwords, as long as you remember the password to the password manager.

A password manager allows you to save passwords in an encrypted form so that you have access to all of your passwords with a single master password. Most password managers also allow you to generate unique, high-quality passwords for different services, thus reducing the risk of unauthorised access.

When choosing a password manager, you should be aware that some password managers store your passwords in an encrypted form in the cloud, while others store them locally on the computer or device on which the password manager is installed. A password manager that stores your passwords in the cloud allows you to easily access them on multiple devices. However, if your master password is lost or misused, all of your passwords may end up in the hands of third parties. Using a password manager that stores your passwords locally reduces the risk of a third party gaining access to your passwords, but also means that the usability of your passwords may be affected by the functioning of your device and whether your backups are up to date and securely stored.

Available password managers include 1Password, Bitwardn, Dashlane, Enpass, F-Secure ID PROTECTION, Password Safe, Keepass and KeepassX, Keeper, Keychain, LastPass and RoboForm.

Please note that the Finnish Transport and Communications Agency Traficom has not verified the aforementioned pieces of software and makes no claims as to whether they function as described by their manufacturers.

If you come to the conclusion that password managers are not for you, here are some tips to help remember your passwords:

• Write down your passwords on a physical note in full or in part. Store this note in a secure place. Write down the information in a way that makes it impossible for outsiders to determine the services that the passwords are for or the user if the note goes missing.
• Store your passwords in an encrypted form on a computer, your email account or a USB memory stick.

You should definitely look into login notifications. Enabling login notifications makes it so that you receive a notification every time that your account is accessed from an unusual location or on a new device. You will quickly learn how to read login notifications and determine whether you logged in to your account from a different device than usual or if your account was accessed by a family member in Tibet, for example. If you have no family members in Tibet, you can take a closer look at the login notification to determine whether the login attempt was unauthorised.

Nearly all online services offer you the option of ordering a new password in the event that you have forgotten your old one. Usually the link for resetting your password is sent to the email address that you entered when registering your account. This makes your email password particularly important for managing other services as well.

Take especially good care of the master password to your password manager. In most cases, forgetting it means that you can no longer access any of the information stored by the password manager. Some password managers offer you the option of ordering a new password, but in the interest of keeping your data secure, the process is considerably more complicated and exact than resetting your password for other services. This is because gaining access to your email address and the master password to your password manager would allow a third party to log in and change your passwords to other services as well.

Think carefully whether to open links included in messages claiming to have been sent for the purpose of resetting your password. Messages masquerading as password reset messages are also sent by criminals hoping to lure people into entering their usernames and passwords on phishing sites. Only click on a link if you are sure that you ordered a password reset yourself.

Scammers try to get a hold of users’ passwords because they are digital currency that others are willing to pay for. Scammers phish for passwords via email, by phone and by text message, and by attempting to access your browser data and using keyloggers. A scammer may also attempt to install software designed to steal your data on your device.

You can protect yourself from phishing attempts by never disclosing your passwords to others, for any reason. To protect yourself from criminals trying to access your data via your browser, make sure that your software is always up to date. A third effective method is never to open email attachments if you are unsure about their content.

Sometimes passwords to popular services are stolen directly from service providers. If you learn that passwords to a service that you use have fallen into the wrong hands, change your password immediately. If you have two-factor authentication enabled on the breached service, your data is secure.

There are also services available for checking whether your data may have ended up in the wrong hands. But even if they have, it does not necessarily mean that the stolen data has been used for nefarious purposes. Even so, you should change your password to any service that has suffered a data breach and to any services for which you use the same password.

•  haveibeenpwned.com (External link)

Sometimes your password may end up in the wrong hands for one reason or another. If you notice that your password has ended up in the wrong hands, change your password immediately. This way you can prevent the unauthorised use of your account.

If you have disclosed your bank information to a scammer, immediately contact your bank. If you suspect a crime, you should also submit a report of an offence to the police (External link).