We’ve been on the internet for almost 35 years, yet we still haven’t learned our lesson about online passwords. According to a recent security study, the most commonly used web passwords are things like “123456” and “password.” Sure, they’re easy to remember, but that makes them just as easy to hack. And if you use that simple password across multiple accounts, as a reported 92 percent of online users do, that puts all of your data at risk.
While most everyone has at some point heard the basics of password security (use a strong password, don’t use the same password on different sites, etc.), many of us still brush off that advice because it seems too complicated, or it feels like we just don’t have the time. We use the same password across different sites; we use passwords that are easy for others to figure out – and just hope for the best. But passwords are just as important as other tools we use to verify our identity – like driver’s licenses, social security cards, and passports – and they are just as important to keep secure.
1. MAKE YOUR PASSWORD LONG.
Hackers use multiple methods for trying to get into your accounts. The most rudimentary way is to personally target you and manually type in letters, numbers, and symbols to guess your password. The more advanced method is to use what is known as a “brute force attack.” In this technique, a computer program runs through every possible combination of letters, numbers, and symbols as fast as possible to crack your password. The longer and more complex your password is, the longer this process takes. Passwords that are three characters long take less than a second to crack.
2. MAKE YOUR PASSWORD A NONSENSE PHRASE.
Long passwords are good; long passwords that include random words and phrases are better. If your letter combinations are not in the dictionary, your phrases are not in published literature, and none of it is grammatically correct, they will be harder to crack. Also do not use characters that are sequential on a keyboard such as numbers in order or the widely used “qwerty.”
3. INCLUDE NUMBERS, SYMBOLS, AND UPPERCASE AND LOWERCASE LETTERS.
Randomly mix up symbols and numbers with letters. You could substitute a zero for the letter O or @ for the letter A, for example. If your password is a phrase, consider capitalizing the first letter of each new word, which will be easier for you to remember.
4. AVOID USING OBVIOUS PERSONAL INFORMATION.
If there is information about you that is easily discoverable—such as your birthday, anniversary, address, city of birth, high school, and relatives’ and pets’ names—do not include them in your password. These only make your password easier to guess. On that note, if you are required to choose security questions and answers when creating an online account, select ones that are not obvious to someone browsing your social media accounts.
5. DO NOT REUSE PASSWORDS.
When hackers complete large-scale hacks, as they have recently done with popular email servers, the lists of compromised email addresses and passwords are often leaked online. If your account is compromised and you use this email address and password combination across multiple sites, your information can be easily used to get into any of these other accounts. Use unique passwords for everything.
6. CHANGE YOUR PASSWORDS REGULARLY.
The more sensitive your information is, the more often you should change your password. Once it is changed, do not use that password again for a very long time.
7. Use different passwords for accounts that contain sensitive or personally identifying information.
The importance this tip can’t be emphasized enough. If you use the same password across these accounts, once it’s been cracked, ALL of your accounts become vulnerable. Just as you use different keys to protect different places, use different passwords to protect important accounts.
8.Use two-factor or multi-factor authentication.
It sounds pretty fancy, but all it really means is instead of just entering a password to log in to your account, you will also need to enter a second piece of information. You can usually find this option in the account settings or security settings of the online service. There are a variety of options out there, and they fall within two distinct categories: “something I have” or “something I am”. Currently most services use the “something I have” kind. Here’s how it works: after entering your password, the company will immediately send a short code to something you have: an email account, a text message or voice call to your phone, oran app you have installed on your device. You then enter that code on the website and, voila! – you are able to access your account. It confirms you are who you say you are, because you verified you have the email account, cell phone, etc. that you previously connected to that account. Some emerging technologies are beginning to use the “something I am” authentication –a retina scan, a thumbprint scan, a facial recognition scan, etc.
9.DO NOT Share your password
Sometimes – especially in any relationship – we want to share everything with our partner, and have them share everything with us. But just as you wouldn’t give them your identity documents to carry around in their wallet, it’s important to keep your passwords private, and to respect the privacy of their passwords.
10. Don’t let browsers remember your passwords.
While this feature in many browsers may make it super easy to get in to your accounts, it also makes it easy for someone who’s using the same computer or device to access those accounts (and all of your personal information) without needing to know your password. If you need help remembering your passwords consider using a password manager.
11. Don’t take the bait.
Unfortunately, most malicious hackers don’t have to work very hard to get access to passwords. They use strategies to trick people into giving them up. One common way they do this is by calling and pretending to be a representative from somewhere you are a customer at and convincing you to give them private information. Another way is by sending an email pretending to be from a website, service, friend, or colleague, and giving you a website link to follow. When you click on that link you’re either directed to a fake website that asks for your private information, or the link launches malware onto your computer.
12. Remember to log off.
Computers and devices are smart – sometimes too smart – and unless you actively log out, your account may remain open indefinitely, allowing others easy access. While it’s certainly convenient to not have to log in every time on our own devices, it’s important to weigh that convenience with the risk of what might happen if our device gets in the wrong hands. Also – getting into the habit of logging out on our own devices makes it less likely we’ll accidentally stay logged in to our accounts on computers and devices that aren’t ours. If you’re concerned you may have stayed logged in to an account by mistake, some online services like Facebook and Gmail allow you to go in and see the places where you’re currently logged in and give you the option of logging out of them remotely.
13. Create a separate email account to use for logging in to online accounts or making purchases.
Creating an alternative email account that you can use for online accounts and purchases can help protect your privacy, and also help you avoid all of that spam in your actual email inbox. (Many companies these days want you to create a new account, even for one time interactions. Online shopping companies often encourage you to do this, even though it’s not a necessary part of doing business with them.