Tips for Better Passwords
In an era of botnets and data breaches, it's more important than ever to use strong passwords. Here's how to do that.
Given the number of online accounts the average person has these days, creating strong, unique passwords can be a lot of work.
That’s why many people give in to the temptation to use the same simple password again and again. And that puts you in the crosshairs of cybercriminals on the hunt for easy targets.
Tom Hickman, chief threat officer for the cybersecurity firm ThreatX, says passwords are much like the Acme bombs used by the immortal Looney Tunes character Wile E. Coyote—they’re always blowing up on you. So it’s important to do what you can to limit the damage.
Go Long and Complicated
“Password123” may be easy to remember, but it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.
And despite years of warnings from security experts, “password,” or a slightly modified version of it, remains one of the most common passwords out there.
Ideally, a password should be composed of a long string of characters. The more characters, the harder the password will be to break. Think of at least a dozen. Try stringing them together using an easy-to-remember phrase: Thequickbrownfoxjumpsoverthelazydog. (Though it’s better to choose a phrase only you know.)
One common mistake many consumers make is using easy-to-guess words, says Tonia Dudley, strategic adviser at Cofense, which specializes in anti-phishing technology. While apps and sites are getting better at stopping people from using the passwords most frequently uncovered in data breaches, she says people still find ways to use variations of them.
And that warning now goes for your username, too. Many apps and websites no longer require you to use your email address. Picking something different makes things harder for attackers, she says.
On the flip side, experts now say that you don’t need to change your passwords on a regular basis. You’re more likely to set a good long password if you know you're going to use it for a while.
Needless to say, if it’s exposed in a data breach, you still need to change it immediately.
And don’t be tempted to weave in personal details like names and birthdays to make your password easier to remember. (Yes, that means your kids’ personal details, too.) Hackers routinely troll Facebook and Twitter for clues to passwords like those.
This same logic applies to smart home devices such as routers, webcams, TVs, toys, and even some high-end refrigerators. Many come with default passwords that should be changed the minute you take the product out of the box. There’s no easier password to hack than one you can find online or in a manual.
Even tech minimalists have myriad passwords to remember these days, for everything from bank accounts to Pinterest. But resist the temptation to reuse passwords on multiple accounts. You could fall victim to a credential-stuffing attack.
Caches of usernames and passwords are often what cybercriminals are looking for when they breach computer systems, Hickman says.
Those stolen passwords end up archived with billions of others in online databases, where they’re bought and sold by cybercriminals who feed them to botnets in hopes of cracking into accounts.
So while your online bank accounts might normally be tough to hack, it won’t matter if you used the same username and password for your favorite cooking website and it happens to get hacked.
If you find the thought of committing all those complicated passwords to memory intimidating, consider using a password manager. A service like that generates, retrieves, and provides top-of-the-line passwords for each of your accounts, using strong encryption to protect them. It will also make sure the website you think belongs to your bank actually does before you hand over your credentials. All you have to do is remember the one password you create for the service.
Some are free; others cost a few dollars per month. Need help choosing one? Check out Consumer Reports’ password manager ratings, which evaluate the privacy, security, and other features offered by each product.
And if that sounds too technical for you, that’s okay. As long as you’re not a high-profile person at risk of being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place.
Just don’t go so far as to put it on a sticky note attached to your monitor.
Always Use 2FA
Two-factor authentication (2FA)—which requires you to, say, enter a multidigit code texted to a smartphone to log in to an account—has become a must.
Also called multifactor authentication, 2FA makes it a lot harder for hackers to access your account, even if they have the password.
It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but 2FA is often enough to make hackers look for another target.
It’s getting easier to use, too. While most people are familiar with the texted-code version, you also can use smartphone apps, physical security keys that insert into a computer, or your smartphone itself to verify your identity.
Experts say that the best version of 2FA often hinges on a user’s needs. And no matter which option you choose, you’re much better off than if you rely on a password alone.
Passwords & Firmware 101
Online privacy and security are major issues facing a lot of people today. On the “Consumer 101” TV show, Consumer Reports expert Maria Rerecich explains why it’s not just phones and computers that people should be concerned about.