How strong is your password, really? Do you use the same one on a number of accounts? Or refer to your dog Fluffy in all of them? Chances are some or all of your login codes could use a change.
Our passwords are a key component of our lives, and as more of the services we rely on every day move online, the stakes grow ever higher. Here are 7 tips to improve your passwords—and your security online.
1. Create Strong Passwords
Ideally, a password should be at least 12 characters and include a mix of lower case and capital letters, numbers and special characters such as @, $ or *. It should also be unrelated to any of your prior passwords.
Struggling to think of something? You can use a password generator (there are a number of free options available), or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. For example, you could channel Cookie Monster and go with, "[email protected]~C0oK13$."
2. Avoid Passwords Containing Info Easily Found Online
Part of having a strong password is not using information someone could easily (or even not-so-easily) figure out by checking out your social media accounts. That means if you constantly post about your dog, Fluffy, don't make your password "Fluffy_Lv3r."
Consider the whole extent of the information out there. While "[email protected]*P0tt3r" is generally a strong password, don't use it if you are a member of a Harry Potter fan club or post quizzes to your page like "What Hogwarts House Would You be Sorted Into?"
3. Use a Unique Password for Every Website or App
You might think a security breach at, say, LinkedIn doesn't matter—they have your resume, so what? But if you use the same password, or even a similar one, for LinkedIn as you do for your bank account or Facebook or any number of other applications a hacker can soon find a way to wreak havoc in your financial and personal life.
Need help remembering (and generating) all those passwords? Consider using a password manager app. Many available apps will help you generate and store unique passwords for every website. If you don't feel comfortable keeping that info in the cloud, you can also just create a document on your computer and encrypt that with a password. If you are more the pen-and-paper type, you can keep a list at home.
"In some scenarios, writing down passwords isn't a terrible thing (it's offline) provided you protect what you have written and where you store it," said Whitney Hewatt, a lead security engineer at FINRA. "Certainly don't store such things right next to any systems you use making it easy to find such lists."
4. Avoid Linked Accounts
What does that means? That means when you are new to a website and it says you can create a new account, or you can link the account to use your Facebook or Email log in, just create the new account instead.
"Sure, linked accounts are convenient," Hewatt said. "But convenience comes at a cost."
When you log in using another account, you are usually allowing that website to have some of your data, whether you realize it or not. That may be a privacy concern and may make identity theft easier. But beyond that, allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
5. Use Multi-Factor Authentication
When possible, use multi-factor authentication, or two-factor authentication, particularly for your email accounts. Many e-mail providers now allow for this, including Gmail, Microsoft Mail and others.
"Protect your email accounts as best you can," Hewatt said. "Enable this setting to provide an added layer of security where you authenticate and then have to use another validation process, such as a code sent by text or authenticating app to secure the logon process."
You should do this whenever possible, but your email account is particularly important. Your email address is also where password resets are typically sent, so it's imperative that you protect your email address in order to protect all other accounts.
6. Beware Where You Enter Your Password
Be aware of possible risks such as using public kiosks and charging stations when logging on to any site or app you use. There may be malware or virus designed to capture any information you type on the machine.
"You never know who manages these systems or how securely they are configured," said Hewatt.
The same goes for pubic Wi-Fi. Public Wi-Fi might be convenient and easy on your wallet as you look to avoid data overage charges from your cellular provider, but steer clear of entering your password into any website from a public network, be it at an airport or your favorite coffee shop, or in a college classroom or hotel room. Ideally, you should log in through a virtual private network (VPN) if you'll be working from a public network.
"Until better security solutions are created, traffic on open networks can generally be discovered by anyone else on that network," Hewatt said. "You may be better off using cellular communications when possible," he said.
7. Take Note When a Data Breach Occurs
If you hear about a possible data breach of a website or app you use, don't just assume others were affected, but not you. Take steps to determine if your credentials have been stolen.
You can reach out to the company that was hacked, or use test sites to determine if your credentials were stolen. The website "Have I Been Pwned" is one option that tracks many of the known data breaches. You enter a user name or email address to determine if one of your accounts is located on lists which have already been dumped to the internet for public download.