top of page

Your 3 keys to website logins

"Who you are, what you know, and what you have"

Most sites ask for an email as for your username. This is easily exploited by an attacker to reset your password. Instead, use a random name if the site allows. Store it in your password manager

Your password should be difficult to guess from your online social media. No website, bank or other agency will ever ask for your password.

2 Factor Authentication (2FA) adds an extra layer of security to your account. SMS and TOTP are the most common but they are subject to hacking as well

Key Elements of Good Password Hygiene

  • If you haven't already, create a log of all the sites where you have a user account 

  • Next, check if you have been involved in a breach, those are the first passwords to change

    • Every password  must be unique for each website you visit.

    • Must be at least 10 characters long. The longer the better.

    • Should be difficult to remember.

    • Don't use easy things to guess like pet names, kids' names, DOB or phone numbers/addresses

    • Should NEVER be kept on a sticky note near your computer, or in a text document on your computer or your phone.

    • Should be stored either on paper in a secure location, with a duplicate offsite, or kept in a Password Manager

  • Best Practice

    • Get a good password manager, secure it with a ​complex master password that only you know, then fill it with all your login accounts. Use the password manager to help you update accounts with weak or reused passwords. 

*NCSC (National Cyber Security Centre)
Screenshot_2020-05-25 List of the most c

Password Managers

Password managers are apps that store your your login credentials in an encrypted vault on your phone and your computer. They can be standalone products or can use an encrypted virtual key to store your data in the cloud so as to sync between your laptop and your phone. They can store any sensitive information including Social Security numbers, and passport numbers. Picking a respected and reliable product is important. I recommend you do your own research, but here are 3 that usually rank high among the experts.

Subscription based

Long track record

Mobile, desktop and Web

Encrypted on their servers

Watchtower feature looks for compromised logins and passwords

Free and subscription based options

Open Source

Mobile and desktop 

Encrypted on their servers


Open Source

Desktop Offline Only

Can sync with StrongBox on iOS

This comic from highlights a common problem with making passwords.
Click here if it's difficult to see on your mobile device.

Credential Stuffing

Another common mistake people make is to reuse passwords for convenience, but this has serious drawbacks. When passwords are stolen in a breach, a tactic called Credential Stuffing allows attackers to gain access into other accounts for which you used the same login credentials.


Hackers break into a database server, and download gigabytes or terabytes of raw customer information


The raw data is parsed and analyzed, then batched and sold in clusters on the dark web or hacker forums


Bundles of data are validated and verified. Then username/password combos that work are resold as "live"

Live Targets

Attackers then use a program to plug live credentials into hundreds of websites to take over your accounts

just a little


bottom of page