Tips for Better Passwords

In an era of botnets and data breaches, it's more important than ever to use strong passwords. Here's how to do that.

person with phone and computer cybersecurity guvendemir

Given the number of online accounts the average person has these days, creating strong, unique passwords can be a lot of work.

That’s why many people give in to the temptation to use the same simple password again and again. And that puts you in the crosshairs of cybercriminals on the hunt for easy targets.

Tom Hickman, chief threat officer for the cybersecurity firm ThreatX, says passwords are much like the Acme bombs used by the immortal Looney Tunes character Wile E. Coyote—they’re always blowing up on you. So it’s important to do what you can to limit the damage.

More on Data Security & Privacy

“By making your password complex—harder to crack—you are extending the length of the fuse on the Acme bomb,” Hickman says. “Then by making your passwords unique, you’re limiting the blast radius in the event that the bomb actually explodes.”

And while a lot of consumers might not be great at setting passwords, they still are worried about them. According to an Ipsos survey conducted on behalf of Google in December, just 46 percent of Americans feel confident about the security of their online accounts. Google says searches for “password strength test” tripled last year.

So what’s a consumer to do? Here are some tips to help you create hard-to-crack passwords and keep your online accounts safe.

Go Long and Complicated

“Password123” may be easy to remember, but it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.

And despite years of warnings from security experts, “password,” or a slightly modified version of it, remains one of the most common passwords out there.

Ideally, a password should be composed of a long string of characters. The more characters, the harder the password will be to break. Think of at least a dozen. Try stringing them together using an easy-to-remember phrase: Thequickbrownfoxjumpsoverthelazydog. (Though it’s better to choose a phrase only you know.)

One common mistake many consumers make is using easy-to-guess words, says Tonia Dudley, strategic adviser at Cofense, which specializes in anti-phishing technology. While apps and sites are getting better at stopping people from using the passwords most frequently uncovered in data breaches, she says people still find ways to use variations of them.

And that warning now goes for your username, too. Many apps and websites no longer require you to use your email address. Picking something different makes things harder for attackers, she says.

On the flip side, experts now say that you don’t need to change your passwords on a regular basis. You’re more likely to set a good long password if you know you're going to use it for a while.

Needless to say, if it’s exposed in a data breach, you still need to change it immediately.

And don’t be tempted to weave in personal details like names and birthdays to make your password easier to remember. (Yes, that means your kids’ personal details, too.) Hackers routinely troll Facebook and Twitter for clues to passwords like those.

This same logic applies to smart home devices such as routers, webcams, TVs, toys, and even some high-end refrigerators. Many come with default passwords that should be changed the minute you take the product out of the box. There’s no easier password to hack than one you can find online or in a manual.

Don't Recycle

Even tech minimalists have myriad passwords to remember these days, for everything from bank accounts to Pinterest. But resist the temptation to reuse passwords on multiple accounts. You could fall victim to a credential-stuffing attack.

Caches of usernames and passwords are often what cybercriminals are looking for when they breach computer systems, Hickman says.

Those stolen passwords end up archived with billions of others in online databases, where they’re bought and sold by cybercriminals who feed them to botnets in hopes of cracking into accounts.

So while your online bank accounts might normally be tough to hack, it won’t matter if you used the same username and password for your favorite cooking website and it happens to get hacked.

If you find the thought of committing all those complicated passwords to memory intimidating, consider using a password manager. A service like that generates, retrieves, and provides top-of-the-line passwords for each of your accounts, using strong encryption to protect them. It will also make sure the website you think belongs to your bank actually does before you hand over your credentials. All you have to do is remember the one password you create for the service.

Some are free; others cost a few dollars per month. Need help choosing one? Check out Consumer Reports’ password manager ratings, which evaluate the privacy, security, and other features offered by each product.

And if that sounds too technical for you, that’s okay. As long as you’re not a high-profile person at risk of being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place.

Just don’t go so far as to put it on a sticky note attached to your monitor.

Always Use 2FA

Two-factor authentication (2FA)—which requires you to, say, enter a multidigit code texted to a smartphone to log in to an account—has become a must.

Also called multifactor authentication, 2FA makes it a lot harder for hackers to access your account, even if they have the password.

It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but 2FA is often enough to make hackers look for another target.

It’s getting easier to use, too. While most people are familiar with the texted-code version, you also can use smartphone apps, physical security keys that insert into a computer, or your smartphone itself to verify your identity.

Experts say that the best version of 2FA often hinges on a user’s needs. And no matter which option you choose, you’re much better off than if you rely on a password alone.

Don't Be Too Social

Be careful what you share and who you share it with.

If you’re going to post personal details about yourself or your family, make sure your accounts are locked down, and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids’ personal information in a previous article, but here’s the short version: The entire world doesn’t need to know where they go to school and when they celebrate their birthday.

And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So think before you trade your privacy to play a Facebook game or take part in a what looks like a harmless quiz.

Passwords & Firmware 101

Online privacy and security are major issues facing a lot of people today. On the “Consumer 101” TV show, Consumer Reports expert Maria Rerecich explains why it’s not just phones and computers that people should be concerned about.

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).