Hands typing on a laptop.

Happy World Password Day!

Given the number of online accounts the average person has these days, creating strong, unique passwords can be a lot of work.

That’s why many people give in to the temptation to use the same simple password again and again. And that puts them in the crosshairs of cybercriminals on the hunt for easy targets.

More on Data Security & Privacy

“There’s a case to be made that this is the single largest problem in all of data security,” says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “A good attacker won’t hack in; they’ll log in.”

While many people seem to be getting that message, they’re not following the advice.

LastPass by LogMeIn recently polled 3,250 people in the U.S., Australia, Singapore, Germany, Brazil, and the U.K. about their password habits. While 91 percent of those surveyed said they knew that using the same password for multiple accounts was a security risk, 66 percent said they did so "mostly" or "always."

So what’s a consumer to do? Here are some tips to help you create hard-to-crack passwords and keep your online accounts safe.

Go Long and Complicated

“Password123” may be easy to remember, but it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.

And despite years of warnings from security experts, “password,” or a slightly modified version of it, remains one of the most common passwords out there.

Ideally, a password should be composed of a long string of characters. Think of at least a dozen. Try stringing them together using an easy-to-remember phrase: Thequickbrownfoxjumpsoverthelazydog. (Though it's better to choose a phrase only you know.)

The more characters, the harder the password will be to break, Kalember says. And while many online accounts still require you to use one or two capitalized letters, numbers, or punctuation marks, that's not really necessary if your password is long enough, he adds.

Contrary to conventional wisdom, experts now say that you don't need to change your passwords on a regular basis, either. You're more likely to set a good long password if you know you're going to use it for a while, Kalember says. Needless to say, if your password is revealed in a data breach, change it.

Don’t include your name, birthday, or references to other personal details. (Yes, that means your kids’ personal details, too.) Hackers routinely troll Facebook and Twitter for clues to passwords like those.

This same logic applies to smart home devices such as routers, webcams, TVs, toys, and even some high-end refrigerators. Many come with default passwords that should be changed the minute you take the product out of the box. There’s no easier password to hack than one you can find online or in a manual.

Don't Recycle

Even tech minimalists have myriad passwords to remember these days, for everything from bank accounts to Pinterest. But resist the temptation to reuse passwords on multiple accounts. You could fall victim to a credential-stuffing attack.

Billions of stolen passwords are archived in online databases, where they're bought and sold by cybercriminals who feed them to botnets in hopes of cracking into accounts. 

So if the log-in credentials for your favorite blog are swiped, it could threaten your online banking account when you use the same email and password for both.

If you find the thought of committing all those complicated passwords to memory intimidating, consider using a password manager. A service like that generates, retrieves, and provides top-of-the-line passwords for each of your accounts, using strong encryption to protect them. It will also make sure the website you think belongs to your bank actually does before you hand over your credentials. All you have to do is remember the one password you create for the service.

Some are free; others cost a few dollars per month. Need help choosing one? We recently posted Consumer Reports' first-ever password manager ratings, which evaluate the privacy, security, and other features offered by each product.  

And if that sounds too technical for you, that’s okay. As long as you’re not a high-profile person at risk of being targeted by hackers, there’s nothing wrong with writing down your passwords and keeping them in a safe place.

Always Use 2FA

Two-factor authentication (2FA)—which requires you to, say, enter a multidigit code texted to a smartphone to log in to an account—has become a must.

Also called multifactor authentication, 2FA makes it a lot harder for hackers to access your account, even if they have the password.

It’s standard practice in business, and services such as Facebook, Google, and online banking sites offer it as an option, but you frequently have to turn it on. Yes, this will slow you down a bit, but 2FA is often enough to make hackers look for another target.

It’s getting easier to use, too. While most people are familiar with the texted-code version, you also can use smartphone apps, physical security keys that insert into a computer, or your smartphone itself to verify your identity.

Experts say that the best version of 2FA often hinges on a user’s needs. And no matter which option you choose, you’re much better off than if you rely on a password alone.

Don't Be Too Social

Be careful what you share and who you share it with.

This lesson was driven home in recent years by the revelation that about 87 million Facebook users had their profile information and “likes” harvested—without permission—by researchers using a third-party quiz app. 

If you’re going to post personal details about yourself or your family, make sure your accounts are locked down, and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids' personal information in a previous article, but here’s the short version: The entire world doesn’t need to know where they go to school and when they celebrate their birthday.

And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So think before you trade your privacy to play a Facebook game or take part in a what looks like a harmless quiz.


Passwords & Firmware 101

Online privacy and security are major issues facing a lot of people today. On the "Consumer 101" TV show, Consumer Reports expert Maria Rerecich explains why it's not just phones and computers that people should be concerned about.