Hackers are constantly at work trying to guess passwords using sophisticated automated tools. Protect yourself with these simple password management best practices.
Stealing your passwords not only gives a hacker access to your accounts online, but risks identity theft, blackmail, account theft, or other threats. It’s amazing how many people still make obvious passwords that are easy to hack. Protect your logon credentials using these practical steps you can take relatively easily:
1. Choose Strong passwords
Short passwords are easier to crack than longer ones. Make yours at the very least 8 characters long, but preferably longer. “my2buNNiEs_havepiNkEars.com” is stronger than My2bunnies, with an acceptable level of inconvenience.
Use a mixture of lower case letters, upper case letters (not just in the first position, as the N’s and E’s were upper cased in the example above), numbers, and punctuation marks (to the degree the website allows them). See the example above.
It may be easier to make a longer password to use a phrase, embedded with numbers and punctuation, as we did above.
Do not repeat characters or use numbers or letters sequentially within the password (it is remarkable how many people use 12345, abcde, 11111, etc. within their password, or for that matter, the word “password”).
2. Don’t embed identifying information in your passwords
Don’t embed personal data within the password. No part of the password should include any part of the name of any family member, the birthdate of a family member, a pet’s name, a portion of a current or previous address or phone. All those items are public information and could be guessed by a determined hacker. “123MainStreet” (if that is your address) or “Alfred2015” (if Alfred is your son born in 2015) are easy for a determined hacker to guess.
3. Don't leave passwords near the computer
Don’t write passwords on paper that is anywhere near the computer you use, or anything you can lose.
4. Don’t save passwords in unencrypted files
If you must save passwords on your computer, be sure that the file is encrypted (see also “Password Managers” below)
5. If allowable, do not use your email address as your User ID
Many websites still use your email address as your user ID, but if they allow you to choose a user ID other than your email address, then do so, as your email address is likely widely known. Having a unique and hard-to-guess user ID provides another barrier to a hacker trying to guess your credentials. So for example, Green19pants user ID is another barrier compared to J-Doe2020@gmail.com as your user ID.
6. Use Two-Factor Authorization (2FA)
More and more sites offer two-factor authorization for authentication. Two factor authorization refers to using 2 of the following 3 categories of authentication techniques: a) Something you know (e.g., a password) b) Something you have (e.g., a code sent to a cell phone that you own via a text message) c) Some inherent characteristic (e.g., a thumbprint or face recognition)
“a” and “b” with the examples above are the most common forms of 2FA today. While adding another layer of inconvenience, we strongly recommend the use of 2FA, as it greatly improves the security and privacy of your account. Note that if you have set an option in your browser to delete all cookies upon closing the browser or if you delete cookies manually (see prior post, Delete Tracking Cookies), sites can’t remember if you already answered certain “challenge questions” that you set up upon account registration, such as city of birth or name of your high school. If a site challenges you for your responses, think of it as providing another layer of authentication to improve security and privacy. Strictly speaking, such challenge questions do not constitute 2FA because both your password and challenge questions are in the category of “something you know.”
7. Don’t reuse the same password for multiple accounts
Do not use the same password in multiple accounts. If a hacker figures out one account, you don’t want him or her accessing multiple accounts.
8. Don’t have web sites “remember” your login credentials
Some browsers and websites let you save credentials or let you stay logged in. Don’t fall for this “convenience” trap. That makes access to those accounts of yours less secure.
9. Change your passwords periodically
Periodically change your passwords, and do not reuse old passwords. This provides an extra layer of protection.
10. Use password management software, but with care
There are a number of password management software packages, some free and some for a fee. They enable you to store your passwords in an encrypted form in a single place, with only you knowing the master password to the password list. They can also help create strong passwords and enforce guidelines. Examples, benefits, and precautions of password management software are the subject of blog post Why use a password manager.
Follow these password management best practices to improve your privacy and security on the internet.