Tips for Better Passwords

In an era of botnets and data breaches, it's more important than ever to use strong passwords. Here's how to do that.

Person holding phone with lock icon on its screen. Photo: iStock

Given the number of online accounts the average person has these days, creating strong, unique passwords can be a lot of work.

That’s why many people give in to the temptation to use the same simple password again and again. And that puts you in the crosshairs of cybercriminals on the hunt for easy targets.

That’s because once a login name and password are exposed in a data breach, criminals will try that same combination many more times across the web, in a kind of attack called credential stuffing.

More on Data Security & Privacy

And many people don’t stop using passwords after they get stolen, according to research conducted by SpyCloud, an account takeover and fraud prevention company.

The company looked at 1.7 billion exposed credential pairs—combinations of usernames and passwords or email addresses and passwords—that came from 755 data breach sources in 2021. Researchers found that 64 percent of consumers who had more than one password exposed that year were reusing those passwords across multiple accounts. And 70 percent of people who had passwords exposed in 2021 or in earlier years were still using the same credential pairs.

Tom Hickman, chief product officer for the cybersecurity firm ThreatX, says passwords are much like the Acme bombs used by the immortal Looney Tunes character Wile E. Coyote—they’re always blowing up on you. So it’s important to do what you can to limit the damage.

"By making your password complex—harder to crack—you are extending the length of the fuse on the Acme bomb,” Hickman says. “Then by making your passwords unique, you’re limiting the blast radius in the event that the bomb actually explodes.”

So what’s a consumer to do? Here are some tips to help you create hard-to-crack passwords and keep your online accounts safe.

Go Long and Complicated

“Password123” may be easy to remember, but it’s a disaster when it comes to security. Attackers like to go for the low-hanging fruit and try the obvious options first. And despite years of warnings from security experts, “password,” or a slightly modified version of it, remains one of the most common passwords out there.

Ideally, a password should be composed of a long string of characters. The more characters, the harder the password will be to break. Use at least 16 characters. Try stringing them together using a phrase only you know, such as a nonsense sentence that calls up a vivid image in your mind. You can even generate a string of random words in your password manager and write a sentence based on it. For this article, I generated a series of random words in my password manager, which were “uptake paring neighbor degrade overcoat subtlety tongue teredo exert ukulele.” I could write a sentence to use as a passphrase including some of these words, such as “My neighbor wore an overcoat while playing the ukulele.” 

One common mistake many consumers make is using easy-to-guess words. While apps and sites are getting better at stopping people from using the passwords most frequently uncovered in data breaches, people still find ways to use variations of them.

On the flip side, experts now say that you don’t need to change your passwords on a regular basis. However, if it’s exposed in a data breach, you need to change it immediately.

And don’t be tempted to weave in personal details like names and birthdays to make your password easier to remember. That could make it much easier for someone you know to guess your password. 

It’s even easier to “guess” default passwords that come with some smart home devices, such as routers, webcams, TVs, toys, and even some high-end refrigerators. If you do buy a product with a default password, make sure to change it the minute you take the product out of the box. There’s no easier password to hack than one a criminal can find online or in a manual.

Don't Recycle

Even tech minimalists have myriad passwords to remember these days, for everything from bank accounts to Pinterest. But resist the temptation to reuse passwords on multiple accounts. You could fall victim to a credential-stuffing attack, as noted above.

Caches of usernames and passwords are often what cybercriminals are looking for when they breach computer systems.

Those stolen passwords end up archived with billions of others in online databases, where they’re bought and sold by cybercriminals who feed them to botnets in hopes of cracking into accounts.

So while your online bank accounts might normally be tough to hack, it won’t matter if you used the same username and password for your favorite cooking website and it happens to get hacked.

If you find the thought of committing all those complicated passwords to memory intimidating, consider using a password manager. A service like that generates, retrieves, and provides top-of-the-line passwords for each of your accounts, using strong encryption to protect them. It will also make sure the website you think belongs to your bank actually does before you hand over your credentials. A password manager isn’t hard to set up. All you have to do is remember the one password you create for the service.

Some are free; others cost a few dollars per month. Need help choosing one? Check out Consumer Reports’ password manager ratings, which evaluate the privacy, security, and other features offered by each product.

But if a password manager still sounds too technical for you, that’s okay. As long as you’re not a high-profile person at risk of being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place—just have a unique password for each account.

And don’t go so far as to put it on a sticky note attached to your monitor.

Always Use MFA

Multifactor authentication (MFA)—which requires you to, say, enter a multi-digit code from an app like Authy or Google Authenticator to log in to an account—has become a must for protecting your online accounts.

Also called two-factor authentication, MFA makes it a lot harder for hackers to access your account, even if they have the password.

It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but MFA is often enough to make hackers look for another target.

It’s getting easier to use, too. Most people are familiar with the version where a code is texted to you, or with smartphone apps, you can also use physical security keys that are inserted into a computer or your smartphone itself to verify your identity.

Apps and physical security keys are safer than SMS-based MFA, but no matter which option you choose, you’re better off than if you rely on a password alone.

Don't Be Too Social

Be careful what you share and who you share it with.

If you’re going to post personal details about yourself or your family, make sure your accounts are locked down, and change your privacy settings to restrict your posts to real-life “friends.” The entire world doesn’t need to know where your children go to school and when they celebrate their birthday. That’s a privacy issue, too. When they’re older, your kids may wish you hadn’t shared their childhood photos and cute things they said with the internet.

And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So think before you post your specific location, get in a flame war in your neighborhood Facebook group, or spill your guts to the stranger who just started messaging you.


Headshot of Electronics freelance writer, Yael Grauer

Yael Grauer

I am an investigative tech reporter covering digital privacy and security. I'm the lead content creator of CR Security Planner, a free, easy-to-use guide to staying safer online. Prior to Consumer Reports, I covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications. Follow me on Twitter (@yaelwrites)