The security of your Netflix account, bank account and email inbox rest on how well you protect your passwords.
How many passwords can you actually recall? You could simply have 85 passwords for all your accounts, from streaming to banking to social media, according to LogMeIn, making the LastPass password manager. The challenge is to build strong passwords you can actually recall, without tripping into the bad habits that can hurt you — like using the same password for multiple accounts again.
Overusing the same password or weak passwords can have serious outcomes if your data is compromised — although that password is strong. For instance, companies informed of 5,183 data breaches in 2019 that revealed personal information like home addresses and login credentials that somebody could use to deceive you or steal your identity. And since 2017, hackers circulated 555 million stolen passwords on the dark web that lawbreakers can use to crack into your accounts.
Password security may not completely stop your data from being exposed, but these best practices can help reduce your risk if it is. Here’s how to make and manage the best passwords, how to find out if they do get stolen, and one important tip to make your accounts even safer.
Use a password manager to keep a record of your passwords
Strong passwords are lengthier than eight characters, are hard to predict and have a variety of numbers, characters and special symbols. The best ones can be hard to remember, especially if you’re using a separate login for every site (which is commended). Password managers help in this matter.
A trusted password manager such as LastPass or 1Password, can generate and store strong, lengthy passwords for you. They work across your phone and desktop.
The tiny limitation is that you’ll still have to remember a single master password that opens all your other passwords. So try to make that one as strong as it can be.
Browsers like Mozilla’s Firefox and Google’s Chrome also come with password managers, but there are concerns about how browsers safeguard the passwords they store and commends using a dedicated app instead.
Password managers with their master passwords are, of course, apparent targets for hackers. And password managers aren’t ideal. LastPass fixed an error last September that could have disclosed a customer’s identifications. To its credit, the company was clear about the potential abuse and the steps it would take as a result of a hack.
Yes, you can pen your login credentials down. Really
We know: This endorsement goes against everything we’ve been told about guarding ourselves online. But password managers aren’t for everybody, and some prominent security experts, like the Electronic Frontier Foundation, advise that keeping your login information on a sheet of paper or in a notebook is a practical way to track your credentials.
And we’re talking about real, traditional paper, not an electronic document like a Google spreadsheet or a Word file because if someone gets access to your computer or online accounts, they can also get access to that electronic password file.
Obviously, someone could also forcibly enter your house and walk off with the passkeys to your whole life, but that appears less likely. At home or work, we suggest keeping this sheet of paper in a safe place — like a locked cabinet or desk drawer– and out of sight. Restrict the number of people who know where your passwords are, particularly to your financial sites.
If you frequently travel, physically taking your passwords with you introduces more risk if you misplace your notebook.
Learn if your passwords have been stolen
You can’t always stop your passwords from revealing, either through a malicious hack or data breach. But you can ensure at any time for clues that your accounts might be compromised.
Google’s Password Checkup and Mozilla’s Firefox Monitor can show you which of your email addresses and passwords have been compromised in a data break so you can take action. Have I Been Pwned can also tell you if your emails and passwords have been exposed.
Avoid common character and words combinations in your password
The aim is to create a password that somebody else won’t know or be able to guess easily. Refrain from common words like “password,” phrases like “mypassword” and expectable character sequences like “thequickbrownfox” or “qwerty”.
Also refrain using your name, nickname, your birthday or anniversary, the name of your pet, your street name or anything related to you that someone could get to know from social media, or from a good talk with a stranger on an airplane or at the bar.
Longer passwords are safer: Make sure they are at least 8 characters
8 characters are a great way to start when making a strong password, but longer logins are safer. The Electronic Frontier Foundation and security specialist Brian Kerbs, among many others, recommend using a passphrase made up of three or four casual words for added security. A longer passphrase composed of unrelated words can be difficult to remember, though, which is why you should think of using a password manager.
Don’t recycle your passwords
It’s worth repeating that reusing passwords among different accounts is a terrible idea. If someone discovers your reused password for one account, they have the basic to every other account you use that password for.
The same goes for altering a root password that changes with the addition of a prefix or suffix. For instance, PasswordOne, PasswordTwo (these are both bad for multiple reasons).
By choosing a unique password for each account, hackers that break into one account can’t use it to get entree to all the rest.
Avoid using passwords known to be stolen
Hackers can easily use earlier stolen or otherwise showed passwords in automated login attempts called credential stuffing to break into an account. If you want to ensure if a password you’re considering using has already been revealed in a hack, go to Have I Been Pwned and insert the password.
No need to occasionally reset your password
For ages, changing your passwords every 60 or 90 days was a long-accepted exercise, because, the thinking went, that was how much time it took to crack a password.
But Microsoft now advises that unless you are doubtful that your passwords have been exposed, you don’t need to change them occasionally. The reason? Many of us, by being made to change our passwords every few months, would fall into bad routines of forming easy-to-remember passwords or writing them on sticky notes and sticking them on our monitors.
Use two-factor authentication (2FA) but try to prevent text message codes
If hackers do steal your password, you can still keep them from gaining entree to your account with two-factor authentication (also known as two-step verification or 2FA), a security safeguard that obliges you to enter the second piece of information that only you have (typically a one-time code) before the app or service registers you in.
This way, even if a hacker does discover your passwords, without your trusted device (like your phone) and the verification code that verifies it’s really you, they won’t be able to enter your account.
While it’s common and handy to receive these codes in a call to your landline phone or in a text message to your mobile phone, it’s easy enough for a hacker to steal your phone number via SIM swap fraud and then seize your verification code.
A much securer way to get verification codes is for you to produce and fetch them yourself using an authentication app like Google Authenticator, Authy or Microsoft Authenticator. And once you’re set-up, you can select to register your device or browser so you don’t need to keep confirming it each time you sign in.
When it comes to password security, being active is your best protection. That involves knowing if your email and passwords are on the dark web.