Passwords are something nearly everyone uses on a daily basis. Whether logging into computers, email accounts, social media accounts, or bank accounts, passwords keep our online personal lives secure. Have you considered how many online accounts you access? From filing health insurance claims online to checking on your airline frequent flyer accounts, you could easily need up to a hundred or more different, strong passwords.
Many avoid taxing their memories by using a simple password and reusing it for multiple accounts. Cybercriminals are betting on this practice when they use different methods to gain access to passwords.
In a brute force attack, hackers use automated software that attempts endless combinations of letters, numbers, and special characters. A custom dictionary attack relies on a database filled with common words, names, and phrases like "ilovemykids," “password,” or “admin123” to guess commonly used logins.
A valid password that’s stolen in a data breach is another way hackers gain access to your accounts. There are dozens of underground websites buying and selling stolen usernames and passwords. Logins for accounts at Airbnb, CreditKarma, and Uber fetch $15 each. Valid usernames and passwords to active accounts at Navy Federal Credit Union can be bought for $60 a piece.
Once a valid login is bought or cracked, hackers routinely crosscheck it against accounts tied to financial institutions like PayPal looking for matches. If they hack into your account and you reused that password for your bank accounts, you could lose big money. Worse, if you used that same password for other accounts, hackers could take control of your email, social media, and other financial accounts, or worse – they could steal your identity.
It is not enough to use a unique password for every site you access – it should also be a strong one. Passwords ideally should be both complex and long, at least 12-15 characters long. A random password generator can create complex ones like this: ySSwCxPK. At only eight characters long, this would be cracked in about three hours if an attacker used an automated tool to guess 10 thousand times per second. By doubling the length of the password to 16 characters (GpDjwmXaLeNHbhfG), it would take more than 100 years to crack the password at 10,000 attempts per second.
You can check the strength of your password, and then commit to using a random password generator for each of your accounts. Increasing the number of characters in a password and using random characters rather than guessable words improves security by making brute-force attacks more difficult. After hours or days of brute force attacks, hackers typically move onto easier targets.
Some people use password phrases – long ones like the opening to the Gettysburg Address or another memorable passage. While anything 16 characters or longer is highly secure, it’s not an easy practice to repeat for the many accounts one accesses and inevitably leads to writing down logins. As long as your password ‘cheat sheet’ is always kept out of sight, a master list works – until you need to leave home or share access to a login with a colleague. Traveling anywhere with a master list of the passwords to your life online is never a good idea.
Using only unique, complex passwords can limit the damage a single stolen login could have on your online security. Using two-factor authentication (2FA) for online accounts adds another layer of security. Users must enter the second piece of information to identify themselves when logging in, most often a code of numbers that changes every time. Not all companies offer this, but if your account has it, enable it. Two-factor authentication makes it much harder to hack your account with a stolen password because the hacker would need the texted or emailed access code to log in to your account. For a list of websites that support 2FA, check twofactorauth.org.
Even if you have strong passwords and do not reuse them for multiple accounts, your information could still be compromised in a company’s data breach. Check Have I Been Pwned? to see if your account credentials appear in their database. You can sign up for automatic notification so at least you’ll know if it is time to change your passwords ASAP.
One alternative to creating and remembering strong, lengthy, complex passwords for every important site you deal with is to outsource this headache to a password manager. A password manager is a software application that stores and manages passwords for online accounts, saving them in an encrypted format with secure access to the passwords via a single master password. A good password manager will also have a strong, secure algorithm that generates random, complex passwords for you. The combination of these two things is the simplest step you can take to improve your overall password strength and security.
Remember to create a single complex, unique master password and never reuse that login for anything else. Memorize just one password, and you will always have access to all your login information.
Most importantly, no one else will gain access.