What makes a secure password?
It's important to keep these four tips in mind when creating passwords:
- Make your password as long as possible. To beef up your own security, Carnor recommends considering the length of your password first. Simply put — the longer, the better. “Twelve characters is long enough and there are enough possible combinations that it will take a long time for an attacker to try all of them," she says.
- Avoid commonly used phrases, like favorite sports teams, the names of movies or music albums, and sayings like “live, laugh, love."
- Use a series of random letters. Many experts recommend using a series of random letters over using any dictionary words. When using this method, make sure those letters are truly random. Following a pattern on your keyboard (like qwerty) can also be easily guessed.
- Use a combination of three different types of characters. Carnor recommends adding another layer of security by using a combination of three different types of characters, such as numbers, punctuation symbols, and capitalization, but be sure to mix it up. “Multiple numbers, symbols, and capital letters spread throughout the password are best," says Carnor. “Definitely don't put your capital letters at the beginning or your numbers at the end. That's the first thing that will be guessed."
How many passwords do you need?
Keeping up with dozens of different passwords can be a pain, especially if you're using complex passwords for seemingly unimportant accounts like streaming services. In theory, Carnor says you could use one or two simpler passwords for accounts like these, saving your best passwords for more sensitive accounts like your email or online banking, but tread carefully.
“Remember that sometimes information stored in one account can be used to answer secret questions and break into an important account," she says.
To play it safe, keep unique passwords for every account. If you have trouble remembering your passwords, write them down and store them securely on paper in your house — not digitally on your phone or laptop, which could be hacked or stolen. You could also use a password manager, which securely stores all your passwords, allowing you to access them simply by remembering the password to the manager itself. However, it's probably not wise to store your financial account passwords in a password manager.
How often should you change your passwords?
For your financial accounts, it's a good idea to change your passwords periodically, following the secure password guidelines above.
However, if you think your account might have been compromised, or if you were notified of a data breach by a company you hold an account with, it's a good idea to change your passwords for all your online accounts where security is paramount (such as email, online banking, investment accounts, etc.). If any of your critical accounts share a similar password or security question in common with the breached account, then you should change those passwords immediately. That's because hackers can use any personal info gleaned during a breach in combination with a stolen password to log into your other accounts.
When you change your password, resist the temptation to slightly switch up your current password. Since hacking programs are designed to search for slight variations in passwords, adding a new digit or symbol won't do much to protect your account. Instead, “it can be helpful if you choose something completely different each time," says Carnor.
How can you add an extra layer of security for sensitive accounts?
For accounts that are particularly sensitive — such as your private email, bank, or credit card account, or any account where you've stored financial information — it's a good idea to add another layer of security through multifactor authentication.
Multifactor authentication protocols are different for each company. Many require you to select a second contact method, such as text or email, to confirm your identity when something unusual happens — like a login from another location or computer, or after your account has several failed password attempts. Multifactor authentication may also require you to verify your identity at set intervals, such as whenever you clear your browser history or if you go online in hidden or "incognito" mode.
While the extra step might seem like a pain, a quick verification code over text will quickly become second nature — and help protect your account.
Overall, the most important thing to remember is to start with long, hard-to-decode passwords. If you start off on the right foot, it'll be much easier to keep your sensitive accounts and financial information secure.
Curious how strong your passwords are? Visit How Secure Is My Password to see how you stack up.