Fraud watch: why use a password manager?

It’s best practice to create unique, hard-to-guess passwords for all our online accounts. John Allcock, Fraud Prevention explains why a password manager could help improve your first line of defense.

Common password pitfalls to avoid include:

  • We often default to using predictable patterns, such as a zero in place of an ‘o’, or adding an exclamation mark to meet complexity criteria.
  • Attackers also know that we’re prone to using information they can find on social media to create passwords, such as your pet’s name. They use these patterns and information to optimise their attacks.
  • Reusing passwords across multiple accounts. This is particularly dangerous as it means that if a criminal manages to get one of your passwords, they could gain access to multiple accounts.

What makes a strong password?

Using three random words is an ideal way to create strong passwords that are unique and easy to remember. The National Cyber Security Centre (NCSC) lists these as principal reasons for using this approach:

  1. Length – passwords made from multiple words will be longer and meet minimum length requirements.
  2. Novelty – the unpredictability of this method makes it very difficult for hackers to guess.
  3. Usability – it’s easier to remember three random words than one that contains a complex range of characters.

For more about the NCSC’s password suggestions, and other top security tips, visit the NCSC website.

What if I need to meet password criteria?

We recognise that while using the three-word approach, your password might not meet required criteria for creating passwords on some accounts (such as numbers or special characters). You can still add numbers and symbols if needed, for example: 3redhousemonkeys?27.

What is a password manager and why use one?

Password managers are a great way to help keep your accounts secure. They allow you to have strong, different passwords for each account, while only needing to remember one password yourself.

A password manager is an application on your device that securely stores your passwords, so you don’t need to remember them all.

  • You can access any of the stored passwords with a ‘master password’ that you set.
  • They can be stand-alone applications or built into a browser.
  • Password managers are designed to make using, generating, and storing passwords easier and more secure.
  • Many password managers automatically enter the appropriate password into websites and apps on your behalf, so you don’t have to type them in every time you log in.

How does a password manager work?

A password manager acts as an encrypted ‘safe’ that stores all your passwords. You will have one master password that lets you access that safe, make changes to your passwords and add new ones.

A password manager is an application on your device that securely stores your passwords, so you don’t need to remember them all

Some password managers can generate passwords for you, making it much easier to have a different one for each of your accounts, and avoiding the common pitfall of reusing passwords.

The passwords these managers generate are even stronger than passwords we create ourselves, as they contain random strings of characters that we wouldn’t be able to easily remember on our own.

How do I protect my password manager?

As your manager will contain all your passwords, it’s important to make sure it’s secure. You’ll also need to ensure that you’re always able to get into your password manager yourself, so you don’t risk losing access to your passwords.

Protecting your password manager is easier than you might think. Here are some steps you can take:

  1. Set up two-factor authentication. This adds an additional layer of security; for example, a biometric scan or a one-time response code. If you have the option, set up more than one method so you have a backup for getting into your manager.
  2. Make sure that you install updates for your password manager when prompted to. If you’re using a manager that’s built into your browser, make sure you’re using the most up-to-date version of the browser.
  3. Choose a strong master password for your password manager using the three random words approach. You can’t store your master password in the manager itself, so it’s important that it’s both secure and memorable. Don’t store your master password on any devices.
  4. If you’re using a password manager built into Safari or Google Chrome, it will already be protected by your existing AppleID or Google Account. Your existing password for these accounts will act as your master password for the in-built manager, so it’s important to make sure you set this password in line with the guidance above.

How does two-factor authentication work?

Two-factor authentication requires you to enter additional information beyond just your password to verify that it’s really you. This means even if a criminal manages to access your password, they may still be unable to access your account.

Examples of two-factor authentication include biometric scans (like facial recognition when unlocking phones), and one-time passcodes, normally sent via text message or generated by an authenticator app.

When you log in to an account with two-factor authentication active, you’ll be prompted to enter your account password and then complete the second authentication. You can turn two-factor authentication on from within the settings of your password manager.

We hope you found this useful. Please do share this information, as the more people use stronger, more effective password management, the safer they’ll be. Collectively, we can beat the fraudsters!

You can visit our security centre or join a free webinar to find out about common threats and scams. You can also explore the advice and resources of our security partner, the National Cyber Security Centre.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top