Are your passwords as strong as they should be? Self-created passwords leave many users vulnerable to data breaches, account takeovers, identity theft and other threats. In the workplace, poor password management can lead to full-blown cybersecurity incidents that can damage company operations.
Fortunately, it’s easy to make your passwords stronger by following a few best practices. We’ll share five tips for creating safer, more secure passwords to protect your private accounts and improve your business’s cybersecurity. We’ll also look at password mistakes to avoid at all costs.
To protect yourself and your company, consider the following password-creation best practices.
It’s easy and convenient to use the same password for several accounts. However, according to Dodi Glenn, CEO of cybersecurity consulting company Power to Excel, the convenience of reusing passwords can result in exponentially more damage if an account is compromised, leaving you vulnerable to fraud. “Never reuse the same password for multiple accounts,” Glenn warned. “It’s a bad habit to get into.”
Using one password across various accounts gives cybercriminals the keys to your personally identifiable information. “For example, if malware records only Gmail account information but the same password is used across a variety of sensitive sites, such as an online banking or retail site, cybercriminals can easily hack into all accounts and obtain personally identifiable information for nefarious purposes,” Glenn explained.
To keep track of passwords, users should store them in a secure place, like in password managers such as PasswordBox, LastPass and RoboForm, said Eduard Goodman, international privacy lead counsel for TransUnion.
While using the names of loved ones, pets, favorite sports teams and other personal details may help you remember passwords, this practice makes it easier for hackers to access your accounts.
“We may think we are clever, but with the billions of password users on the planet, the likelihood is, someone has come up with the combination before,” said Tom Smith, former vice president of market strategy for data protection products at digital security provider Gemalto (now Thales).
Due to the frequency of security breaches, millions of passwords are available in databases for criminals to leverage in cyberattacks, Smith warned.
“This type of attack is referred to as a ‘dictionary attack,’ or an attack where a password is searched systematically against all other passwords in a ‘dictionary’ or a specified list of existing passwords,” Smith said. Because these passwords are derived from past breaches, using them increases the likelihood of a seemingly “unique” password being compromised once again.
Goodman advised users to “shake things up a bit.” For example, here are a couple of tips for developing more creative passwords:
Most services require a password of at least eight characters. In reality, users will need more characters for a truly secure password.
“The longer the password, the harder it is and longer it takes cybercriminals to crack the password,” Smith said.
The eight-character password standard is now a thing of the past. “As with all things in the realm of technology, password-cracking programs have become faster, and some boast the ability to make 350 billion guesses per second, which means they can crack an eight-character password in seconds,” Smith said. “For users to protect themselves, experts now recommend passwords containing at least 13 to 20 characters.”
If a website offers two-factor authentication, take advantage of this added layer of protection against cyberattacks and payment fraud. Multifactor authentication makes it much more challenging for cybercriminals to access an account.
“Many sites are now offering two-factor authentication or a login that requires both a password and another form of identification, such as a code from a mobile device,” Glenn said.
These are some other types of secondary identification:
“With two-factor authentication, even if an attacker steals users’ login passwords, they won’t be able to access their accounts without the second form of identification,” Glenn said. “Take advantage of this security feature when available.”
Many websites and accounts recommend that users change their passwords regularly. Both Glenn and Goodman recommended changing passwords at least every few months or quarterly, respectively.
However, experts no longer universally advise frequent password changes unless you’ve been breached. To find out if your information is out there, check out Have I Been Pwned?, where you can search your email address, username or password to see if your information has turned up in any reported breaches.
While it’s crucial to create strong passwords, it’s also essential to understand classic password mistakes to avoid. Any of the following mistakes may help an attacker compromise your account.
Birthdays, names of spouses or children, and favorite movies or sports teams are easy to remember, but they’re also easy for a dedicated attacker to guess or learn. Using personal information in passwords is even more of a concern for avid social media posters, as much of their personal information is readily available online.
While it may seem like a lot of effort on the part of a cybercriminal, attackers can quickly create a list of possible passwords and then let software run through the combinations.
While a password should be unique and impossible for an attacker to guess, users should not take password complexity to an extreme. Unmemorable passwords lead to a different set of security risks, such as the following:
However, if you use a password manager, your password can be as complex as you want. These programs securely store passwords behind one strong master password, so the stored passwords can be as complex and nonsensical as the user wants.
Some products come with a default password, including many internet of things (IoT) devices and equipment such as routers and modems. Default passwords should always be considered compromised and temporary. Because these passwords are default, they are common knowledge and anyone can learn the password with a quick online search.
Password management solution provider NordPass ranked the top 200 most common passwords in 2022 and found that the most frequently used password in the United States is “guest.” NordPass says this password would take attackers only 10 seconds to crack. Additionally, thousands of people still use similarly simple passwords — such as “123456,” “123456789” or “password” — which can be cracked even more quickly.
But remember that even if you’re not using one of the most common passwords, you should still follow password best practices to make your passwords as strong as possible.
Creating, using, remembering and routinely updating passwords while ensuring they’re unique can feel overwhelming. But as data breaches and cyberattacks continue to rise, it’s more imperative than ever to use strong passwords. These password-creation tips can help you create uncrackable passwords that protect your private and business accounts.
And if it ends up being too much of a hassle to remember and create strong passwords, password managers can alleviate some of the strain.
Sara Angeles contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.