Consumer Reports has no relationship with any advertisers on this website.
Thursday is World Password Day. Yes, it’s a made-up holiday launched by companies in the tech industry, but it does serve as a reminder to create good passwords and keep them protected.
And, research shows that people could use some reminding. Eighty-one percent of last year’s data breaches involved stolen or weak passwords, according to the Verizon 2017 Data Breach Investigations Report released last week.
Here are some tips for creating strong passwords and keeping your online accounts safe.
Go Long and Complicated
While “Password123” may be easy to remember, it’s a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.
Ideally, a password should be composed of a long string (think at least a dozen characters) of seemingly random upper- and lower-case letters, numbers and symbols. Jonathan Couch, vice president of strategy for the cybersecurity firm ThreatQuotient, says one of the best and easiest things to do is to create a long password out of an easy to remember phrase, then throw in some special characters.
For example: “Th3Qu1ckBr0wnF0xJump$0verTh3LazyD0g”—though it would be better to use a phrase that you make up yourself.
Don't include your name, birthday or references to any other personal details (yes, that means your kids’ personal details, too). Hackers routinely troll Facebook and Twitter for clues to passwords like those.
This same logic applies to smart home devices such as webcams, TVs, toys and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There’s no easier password to hack than one you can find in a manual or online.
And don’t forget about your router. Kevin Haley, Symantec’s director of security response, says that according to his company’s research, 37 percent of people haven’t changed their router’s default password. “A third of all routers out there," he marvels, "are just sitting there, saying, ‘Attack me. I’ll let you in.’”
Even a tech minimalist has countless passwords these days. Everything from your bank account to Pinterest requires that you have one. That’s a lot to remember, but don’t be tempted to use the same password for multiple accounts or to recycle an old favorite.
If your password was one of the more than 1 billion stolen from Yahoo in a handful of breaches over the past few years, you wouldn’t want it to be tied to your credit and bank accounts as well. Hackers know that people often reuse their favorites, so they routinely test passwords stolen in mega breaches on financial accounts.
If the thought of remembering so many complicated passwords is intimidating, think about using a password manager, Couch says. The services create and remember top-of-the-line passwords for you and they’ll also make sure the site you think belongs to your bank actually does, before you hand over your credentials.
Fair warning, password manager companies have been hacked in the past, but that doesn't mean user passwords were actually acquired by the bad guys. Overall, they’re still “the lesser of many evils,” Couch says.
Always Use Multifactor
Multi-factor authentication—which asks users to enter a second form of identification, such as a code texted to a smartphone or a biometric identifier like a thumb print—has become a must, says Marc Spitler, Verizon’s senior manager of security research and an author of the company’s data breach study.
What multifactor authentication does is make it a lot harder for hackers to access your account, even if they have the password. Its use is standard practice in business, and services including Google, Slack, and Facebook offer it as an option, but you often have to turn it on. Yes, this will slow you down a bit, but frequently, it’s enough to make hackers look for another target.
Did you just toss your toothbrush? Maybe it’s time to change your passwords, too.
The longer a password hangs around, the more likely that it’s been stolen or deciphered by a hacker. And, if a company announces that it’s been hacked and credentials have been stolen, change your password right away, even if the company says your account wasn’t affected. It often takes time for those investigating a hack to determine exactly how bad the fallout is, so breaches are often worse than they first appear.
On a related note, it’s always a good idea to periodically clean out your digital closets, just like the ones in your home. Have an AOL email account you don’t use anymore? A Myspace account? Close them out so you don’t have to worry about them getting hacked.
Don't Be Too Social
Social media is great. What would we do without Facebook, Twitter, and Instagram? But be careful what you share and who you share it with.
If you’re going to post personal details about yourself (or your family), make sure your accounts are locked down and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids’ personal information in a previous story, but here's the short version: The entire world doesn’t need to know where they go to school and when they celebrate their birthdays.
Who knows? Maybe that geeky guy from high school that you’re friends with on Facebook, but haven’t actually spoken to in 20 years, grew up to be a hacker.
Copyright © 2005-2017 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.