5 password mistakes you can't afford to make

There's a joke going around the Internet that says, "I changed my password to 'incorrect,' so whenever I forget it the computer will say, 'Your password is incorrect.'"

It's a funny idea, but passwords are actually a serious matter. They're often the only thing standing between a snoop and your information or money.

Today we're going to go over the most common password mistakes you can make, so you’ll know what not to do. I'll also share some easy ways to make creating and keeping track of passwords less annoying.

1. Too short

A decade ago, a five- or six-character password was more than a match for the average computer. But computers have increased in processing speed at such an astounding rate that a six-character password is as bad as having no password at all.

When you're making new passwords, eight characters should be the absolute minimum, and 10 to 12 characters is recommended. For super important accounts, such as your banking account, a 14- to 16-character password isn't a bad idea. My I.T. staff uses 30-character passwords for the important systems.

2. Too simple

Even a 12-character password isn't going to do much good if it's something as simple as "123456789012" or "abcdefghijkl." Hackers check for things like that right away.

Even a common phrase like "maytheforcebewithyou" is something hackers look for right off the bat. They have dictionaries with millions of the most common passwords and variations, and they can crack these simple ones using home computers in minutes or even seconds. In fact, check out the recent list of the most common passwords to make sure you haven't used any of them.

A strong password needs to have a mix of uppercase and lowercase characters, along with numbers and symbols. But you can't get away with simple substitutions like "Mayth3F0rc3Bw!thU!" Something like that will slow a hacker down, but modern computers are fast enough to try “substitute characters” as well.

Your password needs to be virtually random. But instead of just randomly hitting the keys, try a method that makes the password easier to remember. Start by thinking up a random sentence, a catch phrase, quote or even a song lyric like "Tramps like us, baby we were born to run."

Take the first character from each word to get "tlu,bwwbtr." Add some symbols in place of similar letters, so "u" becomes |_|, and the "to" from the original lyric becomes 2. Then capitalize a few letters to make a strong password that's easier to remember than a random password: "Tl|_|,BwwB2R."

When you have dozens of passwords, though, remembering them – even with this method – will be a problem. That's why you need to keep the next two mistakes in mind.

3. Not unique

As passwords get longer and more complex, it's tempting to use the same password for every account so you have to remember only one. Unfortunately, if you do this and hackers get hold of your password for one account, say in a data breach, they can log in to all your accounts.

You need to create unique passwords for every account you have. Of course, that makes it really hard to remember your passwords, which leads to mistake number 4.

4. Writing passwords down

Many people create strong, unique passwords and then write them down on sticky notes that they stick on their desk. Some people keep their passwords in a notebook that they leave lying around.

A hacker won't have much chance of seeing those, but what about snooping family members or friends? What if your house gets robbed and burglars end up with your password notebook? If the burglars are smart enough, they can cause you a lot of trouble.

Instead of writing the passwords in a notebook, get a password manager. This is a program that stores and locks your passwords behind a single master password. You can create dozens of strong, unique passwords and need to remember only one (and you can use our formula in point 2 to make it).

Some popular free password managers are KeePass and Kaspersky Password Manager (full disclosure: Kaspersky Lab is a sponsor of The Kim Komando Show).

5. Never changing passwords

You might have heard that you should change your password every six months, three months or even monthly. But the Federal Trade Commission recently did a study that shows you shouldn't do this.

Regularly changing passwords is annoying, which leads to people making passwords too simple or reusing them. In fact, people who regularly change their passwords make them 46 percent easier to guess. In general, you should change your password only if you think it's been involved in a data breach.

That being said, you should take some time to look through your passwords and update the ones you haven't changed in years. They probably include some of the mistakes above, and you want them to be as strong as possible.

Bonus: Poor security question

Most websites have options for recovering a forgotten password, and one of the most common ways to do this is by answering a security question you set up in advance. Unfortunately, most security questions are things a hacker or relative can figure out with little effort, such as your mother's maiden name or the street where you grew up.

A weak security question can render the strongest password useless. Learn how to make strong security questions and answers that no one can guess.

As another bonus, you should know that many online accounts have a bit of extra security you may not be using. It's called two-factor authentication, and when it's turned on, hackers can't get into your account even if they know your password. Find out how this security feature works and how to turn it on for popular online accounts, including Amazon and Facebook.

Copyright 2016, WestStar Multimedia Entertainment. All rights reserved.

On the Kim Komando Show, the nation's largest weekend radio talk show, Kim takes calls and dispenses advice on today's digital lifestyle, from smartphones and tablets to online privacy and data hacks. For her daily tips, free newsletters and more, visit her website at Komando.com. Kim also posts breaking tech news 24/7 at News.Komando.com.