How strong is your password, really? Do you use the same one on a number of accounts? Or refer to your dog Fluffy in all of them? Chances are you could use a change.
About 73 percent of online accounts are guarded by duplicate passwords, according to a 2015 report by TeleSign, an internet security firm, and 54 percent of those surveyed use five or fewer passwords across their online accounts.
Meanwhile, just over 10 percent of consumers use one of the 25 worst passwords of 2016, according to SplashData, a provider of password management applications, which analyzed more than 5 million leaked passwords used by users in North America and Western Europe.
Topping the list of the worst passwords? 123456, password, 12345, 12345678, football and qwerty.
The problem with this is that our passwords are a key component of our lives, and as more of the services we rely on every day move online, the stakes grow ever higher.
It may seem overwhelming, but you can improve your internet security today with these seven tips.
What does that mean? Ideally, a password should be at least 10 to 15 characters and include a mix of lower case and capital letters, numbers and special characters such as @, $, or *. It should also be unrelated to any of your prior passwords.
Struggling to think of something? You can use a password generator (there are a number of free options available), or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. For example, you could channel Cookie Monster and go with, “[email protected]~C0oK13$.”
Part of having a strong password is not using information someone could easily (or even not-so-easily) figure out by checking out your social media accounts. That means if you constantly post about your cat, Fluffy, don’t make your password Fluffy_Lv3r.
Consider the whole extent of the information out there. While [email protected]*P0tt3r is generally a strong password, don’t use it if you are a member of a Harry Potter fan club or post quizzes to your page like “What Hogwarts House Would You be Sorted Into?”
The same goes for those account security questions you are sometimes asked to fill out. If your Facebook includes information on where you went to high school avoid the security question like, “What was your high school mascot?”
It may be super annoying, but sorry, you’ve got to do it. You need to have a different password for all your different accounts.
You might think a security breach at, say, LinkedIn doesn’t matter—they have your resume, so what? But if you use the same password, or even a similar one, for LinkedIn as you do for your bank account, or Facebook, or any number of other applications a hacker can soon find a way to wreak havoc in your financial and personal life.
Need help remembering all those passwords? There are a number of options for keeping track. You can download a password manager app, or if you don’t feel comfortable keeping that info in the cloud, you can also just create a document on your computer and encrypt that with a password. If you are more the pen-and-paper type, you can keep a list at home.
“In some scenarios, writing down passwords isn’t a terrible thing (it’s offline) provided you protect what you have written and where you store it,” said Whitney Hewatt, a lead security engineer at FINRA. “Certainly don’t store such things right next to any systems you use making it easy to find such lists.”
While we are on the subject, avoid linked accounts. What does that means? That means when you are new to a website and it says you can create a new account, or you can link the account to use your Facebook or Email log in, just create the new account instead.
“Sure, linked accounts are convenient,” Hewatt said. “But convenience comes at a cost.”
When you log in using another account, you are usually allowing that website to have some of your data, whether you realize it or not. That may be a privacy concern and may make identity theft easier. But beyond that, allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
When possible, use multi-factor authentication, or two-factor authentication, particularly for your email accounts. Many e-mail providers now allow for this, including Gmail, Microsoft Mail and others.
“Protect your email accounts as best you can,” Hewatt said. “Enable this setting to provide an added layer of security where you authenticate and then have to use another validation process, such as a code sent by text or authenticating app to secure the logon process.”
You should do this whenever possible, but your email account is particularly important. Your email address is also where password resets are typically sent, so it’s imperative that you protect your email address in order to protect all other accounts. Not to mention how much other information a hacker could get from your email account: your address, possibly medical information or information on your financial accounts and utility accounts.
Be aware of possible risks such as using public kiosks and charging stations when logging on to any site or app you use. There may be malware or virus designed to capture any information you type on the machine.
“You never know who manages these systems or how securely they are configured,” said Hewatt.
The same goes for pubic Wi-Fi. Public Wi-Fi might be convenient and easy on your wallet as you look to avoid data overage charges from your cellular provider, but steer clear of entering your password into any website from a public network, be it at an airport or your favorite coffee shop, or in a college classroom or hotel room.
“Until better security solutions created, traffic on open networks can generally be discovered by anyone else on that network,” Hewatt said. “You are better off using cellular communications when possible,” he said.
And never change your password on a public network or a public machine.
If you hear about a possible data breach of a website or app you use, don’t just assume others were affected, but not you. Take steps to determine if your credentials have been stolen.
You can reach out to the company that was hacked, or use test sites to determine if your credentials were stolen. Have I Been Pwned is one option that tracks many of the known data breaches. You can enter a user name or email address to determine if one of your accounts is located on lists which have already been dumped to the internet for public download.
“This may not be your actual password, but a scrambled version of it that is easily deciphered by common tools” Hewatt said. “If you encounter this, change your password right away.”