How to Protect Your Account With Secure Passwords
In a study conducted between 2016 and 2017, researchers at Google found that hackers steal nearly 250,000 online login credentials each week.1 Once they've got the details, hackers can gain access to your account or sell your information on the dark web before you realize anything has happened. Having secure passwords can greatly lower the risk of your accounts being compromised — and creating good passwords you'll actually remember is surprisingly easy if you follow a few golden rules.
How do hackers steal passwords?
Your passwords might not be as unique, or as hacker-proof, as you think they are.
As part of a research team, Dr. Lorrie Carnor, professor of computer science and engineering and public policy at Carnegie Mellon University, analyzed how hackers gain access to online credentials as well as the password habits of more than 50,000 people. Carnor found that hackers use programs to unscramble saved passwords based on commonly used phrases and sequences. Gaining access can take mere seconds simply because most of us think a lot alike when creating our passwords.
“We see a lot of passwords that are about seven lowercase letters followed by a single digit or an exclamation point," Carnor says. Another common way many people strengthen a password is by adding a capital letter at the beginning.
These common themes make it much easier for hackers to decode hundreds — or even thousands — of passwords quickly. Here's how: Typically, companies like your bank or email provider encode and save your login credentials on their servers. Once a hacker breaks in to that server, they use programs designed to unscramble those encoded passwords. Many of these programs work simply by testing every word in the dictionary, then adding incremental numbers and symbols or capitalizing the first letter of the word until the program gets a hit. Since the program is designed to notify hackers when they've hit a correct password, all the hacker has to do is log in to your account with the correct credentials. That way, they get around your account's failed login attempt protection, and you don't get a warning that someone was trying to access your account.
Did you know? The longer your password is, the better — with the recommended length being 12 characters.
What makes a secure password?
It's important to keep these four tips in mind when creating passwords:
- Make your password as long as possible. To beef up your own security, Carnor recommends considering the length of your password first. Simply put — the longer, the better. “Twelve characters is long enough and there are enough possible combinations that it will take a long time for an attacker to try all of them," she says.
- Avoid commonly used phrases, like favorite sports teams, the names of movies or music albums, and sayings like “live, laugh, love."
- Use a series of random letters. Many experts recommend using a series of random letters over using any dictionary words. When using this method, make sure those letters are truly random. Following a pattern on your keyboard (like qwerty) can also be easily guessed.
- Use a combination of three different types of characters. Carnor recommends adding another layer of security by using a combination of three different types of characters, such as numbers, punctuation symbols, and capitalization, but be sure to mix it up. “Multiple numbers, symbols, and capital letters spread throughout the password are best," says Carnor. “Definitely don't put your capital letters at the beginning or your numbers at the end. That's the first thing that will be guessed."
How many passwords do you need?
Keeping up with dozens of different passwords can be a pain, especially if you're using complex passwords for seemingly unimportant accounts like streaming services. In theory, Carnor says you could use one or two simpler passwords for accounts like these, saving your best passwords for more sensitive accounts like your email or online banking, but tread carefully.
“Remember that sometimes information stored in one account can be used to answer secret questions and break into an important account," she says.
To play it safe, keep unique passwords for every account. If you have trouble remembering your passwords, write them down and store them securely on paper in your house — not digitally on your phone or laptop, which could be hacked or stolen. You could also use a password manager, which securely stores all your passwords, allowing you to access them simply by remembering the password to the manager itself. However, it's probably not wise to store your financial account passwords in a password manager.
How often should you change your passwords?
For your financial accounts, it's a good idea to change your passwords periodically, following the secure password guidelines above.
However, if you think your account might have been compromised, or if you were notified of a data breach by a company you hold an account with, it's a good idea to change your passwords for all your online accounts where security is paramount (such as email, online banking, investment accounts, etc.). If any of your critical accounts share a similar password or security question in common with the breached account, then you should change those passwords immediately. That's because hackers can use any personal info gleaned during a breach in combination with a stolen password to log into your other accounts.
When you change your password, resist the temptation to slightly switch up your current password. Since hacking programs are designed to search for slight variations in passwords, adding a new digit or symbol won't do much to protect your account. Instead, “it can be helpful if you choose something completely different each time," says Carnor.
How can you add an extra layer of security for sensitive accounts?
For accounts that are particularly sensitive — such as your private email, bank, or credit card account, or any account where you've stored financial information — it's a good idea to add another layer of security through multifactor authentication.
Multifactor authentication protocols are different for each company. Many require you to select a second contact method, such as text or email, to confirm your identity when something unusual happens — like a login from another location or computer, or after your account has several failed password attempts. Multifactor authentication may also require you to verify your identity at set intervals, such as whenever you clear your browser history or if you go online in hidden or "incognito" mode.
While the extra step might seem like a pain, a quick verification code over text will quickly become second nature — and help protect your account.
Overall, the most important thing to remember is to start with long, hard-to-decode passwords. If you start off on the right foot, it'll be much easier to keep your sensitive accounts and financial information secure.
Curious how strong your passwords are? Visit How Secure Is My Password to see how you stack up.
Important Disclosure Information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
- Google AI, "Data breaches, phishing, or malware? Understanding the risks of stolen credentials," accessed June 26, 2018. Back
Do you have questions or ideas?
Share your thoughts about this article or suggest a topic for a new one