As you read this, someone could be attempting to access your online data. The sheer number of recent data breaches and cyberattacks—last year alone saw successful hacks of Instagram, YouTube, Marriott, Nintendo, Virgin Mobile and, oh, yeah, the U.S. government—suggests that future attacks aren’t just possible, but extremely likely. And while there’s nothing we can do to prevent large-scale data thefts short of having no online presence at all, we can take quick steps to protect ourselves. We can change the way we create, use and safeguard our passwords.
Most of us don’t give much thought to our passwords. In an August 2020 report, NordPass, a password management service (more on those shortly), produced a list of the 200 most popular passwords found in data breaches. The top three? “12345,” “123456” and “123456789.” Also popular: vertical lines from QWERTY keyboards (“asdfghjkl”), common phrases such as “iloveyou” and “hello,” and, yep, head-slappers like “password” and “computer.”
The study notes that these same weak passwords appear on the list year after year. If you see one of your passwords among them—perhaps even one you use across several accounts, for the sake of convenience—you’re an ideal candidate for ransom attacks, in which you could be locked out of your accounts and charged a ransom to regain access to them, or full-on identity theft, where you might not even be aware of the damage being done to your credit and reputation until it’s too late. Here are some ways to take yourself off that tempting list.
CREATE BETTER PASSWORDS
While most modern websites and apps won’t allow you to make a password that doesn’t feature a mix of numbers, letters and special characters like slashes and ampersands, they don’t always tell you that an old password no longer passes muster. Every time you visit a website or open an app you haven’t touched in a while, make a point of checking the last time you changed your password. Many cybersecurity experts recommend changing passwords every three months; some even suggest doing it monthly. It’s safe to say, however, that if a password is more than 90 days old, you should change it on the spot.
In a 2018 article, Chris Hoffman, editor of the tech site How-To Geek (howtogeek.com), offers these suggestions on creating a durable password:
Avoid dictionary words and groups of dictionary words. “Any word on its own is bad,” Hoffman writes. And they don’t get better when you mix them up: “ ‘House’ is a terrible password. ‘Red house’ is also very bad.”
Use a minimum of 12 characters. “A longer password would be even better.”
Use numbers, capital and lowercase letters, and symbols/special characters. But don’t arrange them in too obvious a way—see below.
Avoid obvious substitutions. “P@ssw0rd” is a nonstarter.
But while it’s easy to create a random string of letters, numbers and symbols, actually remembering it is another thing entirely. Hoffman suggests thinking up an easy-to-remember sentence that includes all of those elements. The example he gives is “The first house I ever lived in was 613 Fake Street. Rent was $400 per month,” which shortens to “TfhIeliw613FS.Rw$4pm”—a 21-character password few could guess.
ADD A STEP
You might have noticed that many sites and apps now offer something called “2-step” or “2-factor verification.” Get on it. It means that the site will send a verification code to another device—a phone or laptop—that you’ll use to complete your login. It’s a simple, elegant solution that confounds anyone who manages to swipe one of your devices.
KEEP PASSWORDS SAFE
It might seem obvious not to write passwords on Post-Its and stick them to your desk, but that might not be the only place your passwords are sitting out in the open. Some web browsers that offer to generate and store passwords for you also make those passwords ridiculously easy for an unscrupulous party to access. Leaving your computer unattended for 30 seconds—at work, perhaps, or at a coffeehouse while you pick up an order—gives the unscrupulous more than enough time to open your browser and grab your entire password list.
USE A MANAGER
Password managers are as good as their name: They keep your passwords—all your passwords—securely locked up. All you need to access dozens or even hundreds of distinct, machine-generated logins is a single password (please make it a good one) or a fingerprint scan. Password managers can even log in for you; they’ll prompt you to enter your master password or fingerprint at any login screen, and the app will do the rest. Some of the most popular password managers include Dashlane, Keeper, 1Password, BitWarden and NordPass, and their subscription prices rank from nonexistent to premium. If you’d like to see them rated against one another in terms of cost and functionality, check out PCMag’s list of “The Best Password Managers for 2021” (pcmag.com/picks/the-best-password-managers).
