Hands typing on a laptop.

Happy World Password Day!

Given the countless online accounts the average person has these days, creating strong, unique passwords can be a lot of work. But security experts say it’s crucial that consumers resist the temptation to use the same simple password again and again.

More on Data Security and Privacy

“Never use the same password twice,” says Chester Wisniewski, a principal research scientist for the British cybersecurity firm Sophos. “That’s the goal. Don’t ever repeat them.”

He notes that credential-stuffing attacks, in which botnets slam online accounts with a series of stolen or generated usernames and passwords in hopes of taking over the account, are on the rise.

So what’s a consumer to do? Here are some more tips for how to create hard-to-crack passwords and keep your online accounts safe.

Go Long and Complicated

While “Password123” may be easy to remember, it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.

And despite years of warnings from security experts, “Password,” or a slightly modified version of that word, remains one of the most common passwords out there. Boston-based cybersecurity company Rapid7 analyzed 130,000 passwords used by its clients and found that variations on the word “Password” accounted for just over 4,000 of the entries.

Ideally, a password should be composed of a long string (think at least a dozen) of seemingly random uppercase and lowercase letters, numbers, and symbols. One of the best and easiest things to do is to create a long password out of an easy-to-remember phrase, then throw in some special characters.

For example: “Th3Qu1ckBr0wnF0xJump$0verTh3LazyD0g.” Though it would be better to use a phrase that you make up yourself.

Don’t include your name, birthday, or references to other personal details (yes, that means your kids’ personal details, too). Hackers routinely troll Facebook and Twitter for clues to passwords like these.

This same logic applies to smart-home devices such as routers, webcams, TVs, toys, and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There’s no easier password to hack than one you can find in a manual or online.

Don't Recycle

Even tech minimalists have countless passwords these days for everything from bank accounts to Pinterest. That’s a lot to remember, but resist the temptation to use the same password for multiple accounts or to recycle an old favorite.

As mentioned before, you could fall victim to a credential-stuffing attack. Akamai, a cybersecurity company with a focus on anti-bot technologies, says it recorded 30 billion such attacks in 2018.  

Meanwhile, cyber criminals have no trouble finding the usernames and passwords needed to feed their bots. Earlier this year, researchers discovered a treasure trove of more than 2.2 billion stolen email addresses and passwords posted online.

The data didn’t appear to stem from a massive new data breach. It was more likely an aggregation of consumer information stolen over the years from companies such as Dropbox, LinkedIn, and Yahoo.

So if your login credentials for your favorite blog get swiped, it could threaten your online banking account if you used the same email and password for both.

If the thought of remembering so many complicated passwords is intimidating, consider using a password manager, Wisniewski says. Some are free; others cost a few dollars per month.

Services like these generate, retrieve, and provide top-of-the-line passwords for each of your accounts, using super-strong encryption to protect them. They’ll also make sure the site you think belongs to your bank actually does, before you hand over your credentials. All you have to do is remember the one password you create for that service.

And, if that’s too technical for you, that’s okay, Wisniewski says. Unless you’re a high-profile person particularly at risk for being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place.

Always Use 2FA

Two-factor authentication (2FA)—which requires you to enter a second form of identification, such as a multidigit code texted to a smartphone, to log into an online account—has become a must.

And the word is getting out. In a nationally representative survey of 1,012 adults conducted in 2016, Consumer Reports found that 62 percent of Americans use 2FA.

Also called multifactor authentication, 2FA makes it a lot harder for hackers to access your account, even if they have the password.

It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but often, 2FA is enough to make hackers look for another target.

It’s also getting easier to use. While most people are familiar with the texted-code version, you also can use smartphone apps, physical security keys that insert into a computer, or your smartphone itself to verify your identity.

Experts say that the best version of 2FA often hinges on a user’s needs. And no matter which option you choose, you’re much better off than if you rely on a password alone.

Embrace Change

Did you just toss your toothbrush? Maybe it’s time to change your passwords, too.

The longer a password hangs around, the more likely it has been stolen or deciphered by a hacker. And if a company announces that it has been hacked and credentials have been stolen, change your password right away, even if it appears your account wasn’t affected. It often takes time for those investigating a hack to determine exactly how bad the fallout is, and breaches are often worse than they first appear.

It’s also wise to periodically clean out your digital closets, just like the physical ones in your home. Have an AOL email address you don’t use anymore? A Myspace account? Close them out so that you don’t have to worry about them getting hacked. 

Don't Be Too Social

Be careful what you share and who you share it with.

This lesson was driven home by the revelation that about 87 million Facebook users had their profile information and “likes” harvested—without permission—by researchers using a third-party quiz app. 

If you’re going to post personal details about yourself or your family, make sure your accounts are locked down and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids’ personal information in a previous article, but here’s the short version: The entire world doesn’t need to know where they go to school and when they celebrate their birthdays.

And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So think before you trade your privacy to play a Facebook game or take part in a what looks like a harmless quiz.

Passwords & Firmware 101

Online privacy and security are huge issues facing a lot of people today. On the "Consumer 101" TV show, Consumer Reports expert Maria Rerecich explains why it's not just phones and computers that people should be concerned about.