Tips for Better Passwords
In an era of botnets and data breaches, it's more important than ever to use strong passwords. Here's how to do that.
Given the number of online accounts the average person has these days, creating strong, unique passwords can be a lot of work.
That’s why many people give in to the temptation to use the same simple password again and again. And that puts you in the crosshairs of cybercriminals on the hunt for easy targets.
That’s because once a login name and password are exposed in a data breach, criminals will try that same combination many more times across the web, in a kind of attack called credential stuffing.
Go Long and Complicated
“Password123” may be easy to remember, but it’s a disaster when it comes to security. Attackers like to go for the low-hanging fruit and try the obvious options first. And despite years of warnings from security experts, “password,” or a slightly modified version of it, remains one of the most common passwords out there.
Ideally, a password should be composed of a long string of characters. The more characters, the harder the password will be to break. Use at least 16 characters. Try stringing them together using a phrase only you know, such as a nonsense sentence that calls up a vivid image in your mind. You can even generate a string of random words in your password manager and write a sentence based on it. For this article, I generated a series of random words in my password manager, which were “uptake paring neighbor degrade overcoat subtlety tongue teredo exert ukulele.” I could write a sentence to use as a passphrase including some of these words, such as “My neighbor wore an overcoat while playing the ukulele.”
One common mistake many consumers make is using easy-to-guess words. While apps and sites are getting better at stopping people from using the passwords most frequently uncovered in data breaches, people still find ways to use variations of them.
On the flip side, experts now say that you don’t need to change your passwords on a regular basis. However, if it’s exposed in a data breach, you need to change it immediately.
And don’t be tempted to weave in personal details like names and birthdays to make your password easier to remember. That could make it much easier for someone you know to guess your password.
It’s even easier to “guess” default passwords that come with some smart home devices, such as routers, webcams, TVs, toys, and even some high-end refrigerators. If you do buy a product with a default password, make sure to change it the minute you take the product out of the box. There’s no easier password to hack than one a criminal can find online or in a manual.
Even tech minimalists have myriad passwords to remember these days, for everything from bank accounts to Pinterest. But resist the temptation to reuse passwords on multiple accounts. You could fall victim to a credential-stuffing attack, as noted above.
Caches of usernames and passwords are often what cybercriminals are looking for when they breach computer systems.
Those stolen passwords end up archived with billions of others in online databases, where they’re bought and sold by cybercriminals who feed them to botnets in hopes of cracking into accounts.
So while your online bank accounts might normally be tough to hack, it won’t matter if you used the same username and password for your favorite cooking website and it happens to get hacked.
If you find the thought of committing all those complicated passwords to memory intimidating, consider using a password manager. A service like that generates, retrieves, and provides top-of-the-line passwords for each of your accounts, using strong encryption to protect them. It will also make sure the website you think belongs to your bank actually does before you hand over your credentials. A password manager isn’t hard to set up. All you have to do is remember the one password you create for the service.
Some are free; others cost a few dollars per month. Need help choosing one? Check out Consumer Reports’ password manager ratings, which evaluate the privacy, security, and other features offered by each product.
But if a password manager still sounds too technical for you, that’s okay. As long as you’re not a high-profile person at risk of being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place—just have a unique password for each account.
And don’t go so far as to put it on a sticky note attached to your monitor.
Always Use MFA
Multifactor authentication (MFA)—which requires you to, say, enter a multi-digit code from an app like Authy or Google Authenticator to log in to an account—has become a must for protecting your online accounts.
Also called two-factor authentication, MFA makes it a lot harder for hackers to access your account, even if they have the password.
It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but MFA is often enough to make hackers look for another target.
It’s getting easier to use, too. Most people are familiar with the version where a code is texted to you, or with smartphone apps, you can also use physical security keys that are inserted into a computer or your smartphone itself to verify your identity.
Apps and physical security keys are safer than SMS-based MFA, but no matter which option you choose, you’re better off than if you rely on a password alone.