Does your ex know your passwords?

Happy sharing passwords with your partner? Here's why it might not be such a great idea, and what you should be doing instead...

When Emma Kowalski broke up with her ex, she threw herself into online dating in a bid to move on. ‘I arranged to go on a date with somebody I’d been chatting to on dating site Plenty of Fish,’ Emma, 30, explains. ‘As I was arranging to meet the guy, called John*, my ex contacted me out of the blue via text, asking ‘Who’s John?’. I remember being confused for a second, before I realised what had happened.

Weeks earlier, I’d received an unexpected notification on Facebook from a guy I knew, responding to a comment I’d made on a picture he’d posted. Only I hadn’t left a comment at all (bizarrely, the comment showed ‘me’ calling him ‘ugly’). I assumed I’d been hacked and changed my Facebook password, not thinking any more of it. Until the moment my ex asked me who ‘John’ was.

Connecting the dots – I only used one password for all of my log-ins and clearly, my ex knew it – I immediately changed my password to every website and app I could think of. It seemed to do the trick but it really shook me up and I’ll definitely be more mindful of keeping passwords private in the future.’

New research from cyber-security company McAfee shows that 1 in 4 of us have shared passwords with a partner. But worryingly, only around 11% of us actually change those passwords after a breakup. But the ramifications of sharing passwords - or unwittingly giving a partner access to them - can be far-reaching, as Lucy*, 32, knows all too well.

‘Richard* and I were together for three years and during that time shared everything - from our rented flat to our passwords. Once, when I was on a hen do abroad with dodgy WiFi, I asked him to log onto my online banking and transfer money from my savings account to my current account, which he did. When we split I didn’t think twice about the passwords. It was only when I checked my savings account months after our split that I saw an unexplained payment of £500 had been transferred to Richard’s account.’

Luckily for Lucy, she was able to get her money back. ‘I contacted him immediately and at first he feigned ignorance, before finally admitting he’d transferred the money using my password because ‘he’d bought most of the furniture we owned’. I later learned through mutual friends he was incredibly bitter about the split, since I’d initiated it. I changed my passwords immediately and since he returned the money, I didn’t take it any further.’

So what would Lucy’s rights be, if Richard hadn’t returned the money willingly? Solicitor Tom Brownrigg from Goodman Ray Solicitors says legally, this kind of situation can be complex. ‘From a family law perspective, taking money from somebody else’s account is criminal territory but being allowed permission in the past may well account to some form of justification for that. Sharing passwords or how accounts were managed previously may be an indicator of ‘allowed permission’.’

Not great news for the 1 in 4 of us who’ve shared passwords, then. Their advice? ‘If you did share account details - or if your ex-partner had free access to your account - change passwords and cancel any cards they may have immediately. Block any access ASAP because it can be very difficult to recover any funds removed later. If there is a joint account and you’re concerned funds may be removed by the other party without your consent, contact your bank to ask for a freeze or restriction on the account to ensure funds are only removed with both your consents.’

But as Emma’s story shows, it’s not just theft we need to worry about - what about ex-partners gaining access to social media or email accounts without permission? ‘In circumstances where one partner believes the other has been accessing private information without their consent, they should immediately contact their own solicitor who may want to write to the other party and put them on notice that they have been obtaining information without consent,’ says Brownrigg. As for the bottom line? ‘It’s a cliché, but prevention is better than the cure,’ says Browning. ‘It’s far easier to stop someone having access to private data or assets in your name in the first place, than trying to prevent them relying upon that information if they have had it, or getting money returned later. Trying to do the latter, after the event, can result in complex legal arguments and significant fees.’

Five easy ways to protecting your online data

Besides keeping passwords private, there are a few other ways to keep your information safe online, whether it’s from snooping exes, or professional hackers. Here, Professor Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University breaks it down...

1. Swap passwords for sentences

‘Password length is more important than complexity so use sentences rather than phrases,’ says Curran. ‘Choose a very long completely random character string (use a random password generator tool, like Gibson Research Corporation's Ultra High Security Password Generator). Use different passwords for each account, too - the average web user has 25 online accounts but uses just six passwords. Once hackers identify one, they usually try and access other sites, too.’

2. Use a password manager

‘The best password is one you cannot remember, which only a password manager can really provide. They work by creating long random character passwords for multiple sites which are stored in an encrypted file on your device. You then only need to remember one ‘master’ password and the password manager will take care of logging you into different sites securely.’

3. Enable multi-factor authentication

‘The premise is that two-factor authentication won’t allow anyone to login to an associated account without access to a phone which is registered to that account. This should in theory prevent any third party from hijacking that account (as they do not have the registered phone in their possession).’

4. Avoid open wireless networks

‘Open public wireless networks are dangerous because they don’t encrypt (disguise) a connected user’s data. You can tell if a public open wireless network is 'open' because it won’t ask you for a password and this means a hacker can position themselves between your device and the sites you visit. This allows them to see all the unencrypted websites you visit, and capture your passwords.’

5. Don’t be lazy

Most of us have auto-login enabled on our devices, but it means anybody using your laptop, phone or iPad could gain access in seconds. ‘Auto-login on sites does save time but convenience can come at the cost of security. It’s much safer to have a website ask you for your credentials on each individual visit, or to use a password manager as they offer more control.’