Strong, unique passwords is your first defense against unauthorized access to your devices and personal information. The better the password, the more secure your computer or device will be from threat actors.
The thing is that a good password is not enough. It must be paired with other security practices for optimum protection. Just a few extra steps can go a long way in preventing disaster.
We’re only human
It’s a good idea to routinely change passwords, especially if a company you have an account with suffered a data breach. The problem is doing this too often could make you careless.
If you work for a company that often requires updating your credentials, you may get sick of it and make up an easy (and weak) password each time. You may just add an extra character at the end of your existing password to meet the bare minimum. Don’t do it.
There’s rule No. 1 for you: Don’t just update a letter, character or number at the end of your current password and call it good.
There are databases with millions of stolen passwords, and yours might be there. Adding an exclamation point or question mark at the end of your current password doesn’t do much to stop threat actors from figuring it out.
Your favorite websites have flaws that threat actors can exploit.
Researchers at Princeton University put together the following criteria for best password requirements regarding security and usability. It considers a website secure only if it satisfies the following criteria:
- Allowed five or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (such as “12345678”, “rockyou”) researchers tried.
- Required passwords be no shorter than eight characters or employed a password strength meter to gauge a password’s resilience against threat actors who attempt to guess it.
- Did not impose any character-class requirements such as “at least one digit and one special character.”
That brings us to rule No. 2: You know password1 is a stupid password, but avoid these lesser-known but very commonly used passwords: qwerty123, myspace, badboy, playboy, hellokitty, police, money, loverboy, boomer, sexy.
RELATED: 3 tricks to see if your passwords are being sold on the Dark Web
And here’s rule No. 3: Skip the random number or punctuation mark at the end of your password, and instead work it into the password itself. You can replace an O (the letter) with a zero, for example, like this: k0mand0_scholar. Or sub in a character for a letter it resembles, like this: f@nt@syFormer.
Get this: The researchers examined the password policies of 120 of the most popular English-language websites in the world and found that only 15 websites followed the above practices. In addition:
- 75% of the examined websites did not stop users from using the most common passwords like “abc123456” and “P@$$w0rd.”
- 45% require specific characters, which potentially frustrate users and are not worth the small benefit in security.
- 19% of the websites used in the study had password strength meters, a valuable security tool for users. And even among those, the meters pushed users to use certain characters rather than focusing on overall stronger passwords.
Sites like Amazon, TikTok, Netflix, Etsy and the Wall Street Journal failed to block leaked and/or easily guessed passwords. Amazon actually allowed the most commonly used password on the web, “123456,” to be used.
Rule No. 4: One simple switch, like adding a character, will not save a weak password. Yes, P@$$w0rd is easy to guess. Instead of one or two words, try a longer “passphrase” that you can remember and then add your finishing touches. Perhaps you choose “my two cats are smart,” which becomes “my2c@tsrSmart.”
RELATED: Best free Windows and Mac security downloads for your computer
What you can do about it
By now you realize you can’t rely on sites to protect you. Even Amazon will allow shockingly bad passwords. That means it’s up to you.
Rule No. 5: Don’t rely on a website’s strength meter to keep you safe. As researchers proved, even the big ones have lax or lacking rules that hackers know about.
The truth is, remembering complicated passwords for each and every account is virtually impossible. Luckily, there are tools to help you stay safe.
Password managers are good for almost anyone out there. You need to remember just one super strong password — called the master password — to unlock your vault of logins.
Two-factor authentication is a must for every account you can. Even if you did get lazy with your password, this additional security measure makes it nearly impossible for hackers to break into accounts without the security code sent to your phone or an authentication app. Here’s more information on 2FA.
Rule No. 6: This rule isn’t new but it’s worth saying one more time: Never use the same password for multiple accounts, Through a technique known as credential stuffing, hackers use stolen passwords on different services, hoping to find duplicates.
Buying things you don’t need is one thing, but it’s worse when you have something you can’t get rid of. While you can likely return that juicer you never used, it’s not the same for other products. Here’s what you need to know about Amazon’s return policies. You can thank us later when you’re not sitting around with that $50 impulse purchase you’re stuck with.
You may also like: Have a DJI drone? Beware of this serious security flaw