“You have to laugh to keep from crying,” said JD Sherman, CEO of password manager company Dashlane.
Once your password is part of a breach, hackers try it on different sites and services to try to unlock more accounts in what’s called a “stuffing” attack. Reusing passwords or going with daredevil options like “solarwinds123” make you — and often your workplace — more vulnerable. But that doesn’t mean all this password drama is deserved.
Data from Dashlane shows that most people have more than 200 accounts that require passwords.
“We have too many passwords today as a consumer,” said Josh Yavor, chief information security officer at cybersecurity company Tessian. “If you think about all the different things you have to log in to, the number is just way too high for anyone to be able to keep track of all the different passwords and do the right thing every single time.”
Someday, we’ll likely move away from passwords and toward a safer solution. Google, for instance, said Wednesday you can now use your mobile device’s passkeys — such as a fingerprint scanner or FaceID on iPhones — to log in across Google accounts. Until the password-free future arrives, here are six easy things you can do to protect yourself:
Stop reusing passwords
If you take only one step to better protect your accounts, make it this: Retire your trusty go-to passwords and start fresh.
Reusing passwords across accounts makes all of them less safe. For instance, if you use the same password for Netflix and Chase Mobile, a data breach at Netflix could put your bank account at risk. This applies to passwords that are similar with small tweaks that could be easily reverse engineered, like “oaktr33-hulu” and “oaktr33-hbo.”
During his days as a penetration tester helping companies find and eliminate paths hackers could use to break in, Yavor once gained access to 20,000 corporate accounts in less than an hour simply by plugging in the default password the accounts came with, he said.
Make your passwords impossible to guess
Passwords shouldn’t draw on details from your life. You may think that no one can guess your child or pet’s name but all it takes is a quick visit to Instagram or LinkedIn to figure it out. Instead use a password generator or other technique to choose truly random combination of words and numbers or password phrases.
When coming up with on-the-fly passwords, people’s minds tend to gravitate toward the same themes. Tessian found that 21 percent of people use predictable cues like their favorite football teams or birthdays. A survey by Microsoft indicated 15 percent of people use pets’ names. That’s why it’s better to avoid passwords with any real significance.
Make them long (think longer than 12 characters) with plenty of numbers, letters and special symbols when required. Ninety-six percent of password-related cyberattacks involve passwords with fewer than 10 characters, and 76 percent involve passwords with fewer than six, according to Microsoft.
Coming up with passwords is like leaving your car in a mall parking lot, Sherman noted. Most thieves are just hunting for unlocked doors and rolled-down windows.
Avoid these passwords
- 123456. Easy to remember means easy to guess.
- Password. This goes without saying.
- Password123. Nice try, but no.
- Qwerty. Try a different combo of letters, then add some numbers and symbols.
- Pets’ names. Try combining pets’ names into a unique new word with some special symbols.
- Kids’ names. Same deal as pets. (But less furry, usually)
- Favorite teams. This is a common one, and there are only so many professional sports teams.
- Birthdays. Try a date with no significance, then add some symbols and letters.
Check if your passwords have been exposed
An exposed password may provide the kick in the pants you need to clean up your security act.
Apple notifies you if one of your saved passwords has appeared in a breach. On an iPhone, go to Settings → Passwords → Security Recommendations and change any passwords that are putting you at risk. For passwords you’ve allowed Google to save, go to passwords.google.com → Go to Password Checkup → Check Passwords. (Note: It’s easy to leave yourself logged into Google on someone else’s computer, so I’d recommend a different method of storing passwords.)
A website called Have I Been Pwned will let you look up your email address or phone number to see how many breaches included your information. And finally, password managers — applications that generate, save and automatically fill in unique, hard-to-guess passwords — can alert you to compromised accounts, too.
Set up two-factor authentication
Passwords alone are no longer sufficient security for sensitive accounts, such as your bank or social media. You want to turn on two-factor authentication as well.
Two-factor authentication means a person has to authenticate their identity in two different ways before gaining access to an account. By enabling two-factor, you prevent hackers from breaking in if they’ve only gotten their hands on your username and password.
Traditionally, two-factor has involved a text message sent to your phone with a numeric code to input. If you know the code, that means you have your phone, so the app or site can trust that you’re really you.
But that method leaves you vulnerable if somebody gets their hands on your phone or tricks your cell provider. If you want some password hygiene extra credit, take a couple seconds to download an authenticator app. These connect to your accounts and ping you when somebody tries to log on. Then, the app gives you some second piece of info that authenticates your identity and lets you sign in. Google, Microsoft, Twilio and ID.me all make authenticator apps you can access from different mobile devices. Just type “authenticator” into an app store and download one of these options.
Use a password manager
A password manager will solve a bunch of your password security problems in one swoop.
Just add the manager app — we’ve recommended Dashlane and 1Password — to your mobile device, or sign up on its website. You can also use a built-in manager like Apple’s Keychain. These tools will start saving the passwords you use to log in, generating hard-to-guess options when you sign up for new sites and automatically inserting them into log-in forms. You can even have it save your name, address and credit card info for faster sign-ups and checkouts.
As far as setup, you’ve got a choice: Either turn on your favorite Spotify playlist and spend a few hours inputting the passwords to the sites you visit most often, or just start going about your business and auto-save passwords as you use them.
In a saner world, everyone would have just three passwords to keep track of, Tessian’s Yavor said: your phone, email and password manager. Memorize those passwords to keep them safe, or use Dashlane’s new password-less option to unlock your account with a PIN or biometrics on your device.
If you must store passwords somewhere else, know the risks.
We’re all familiar with the sacred password notebook sitting next to the desktop computer. There’s also the password safe, the password Google Doc, the password saved email draft and my mom’s favorite: the password list in the smartphone notes app.
If you opt to store your passwords yourself rather than using a manager, there’s no real winning, Yavor said. You can avoid digital theft by writing passwords in an analog notebook or slip of paper, but then that list is liable to be lost, stolen or — in his case — eaten by golden retrievers.
Of course, you can keep your passwords safe from canines and other acts of God by storing them somewhere digital. But then you’re opening yourself up to potential cybertheft.
Whatever you choose, know what risks you’re taking, and give a password manager some serious thought.
