Strong, unique passwords are your first defense against unauthorized access to your devices and personal information. The better the password, the more secure your computer or device will be from threat actors.
The thing is that a good password is not enough. It must be paired with other security practices for optimum protection. Just a few extra steps can go a long way in preventing disaster.
We’re only human
It’s a good idea to routinely change passwords, especially if a company you have an account with suffered a data breach. The problem is doing this too often could make you careless.
If you work for a company that often requires updating credentials, you may get sick of it and make up an easy (and weak) password each time. You might decide to add an extra character at the end of your password to meet the bare minimum. Don’t do it.
There’s rule No. 1 for you: Don’t just update a letter, character or number at the end of your current password and call it good.
There are databases with millions of stolen passwords, and yours might be exposed. Adding an exclamation point or question mark at the end of your current password doesn’t do much to stop threat actors from figuring it out.
Your favorite websites have flaws that threat actors can exploit.
Researchers at Princeton University put together the following criteria for best password requirements regarding security and usability. It considers a website secure only if it satisfies the following criteria:
- Allowed five or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (such as “12345678” and “rockyou”) researchers tried.
- Required passwords be no shorter than eight characters or employed a password strength meter to gauge a password’s resilience against threat actors who attempt to guess it.
- Did not impose any character-class requirements such as “at least one digit and one special character.”
That brings us to rule No. 2: You know password1 is a lousy password, but avoid these lesser-known but very commonly used passwords: qwerty123, myspace, badboy, playboy, hellokitty, police, money, loverboy, boomer, sexy.
RELATED: 3 tricks to see if your passwords are being sold on the Dark Web
And here’s rule No. 3: Skip the random number or punctuation mark at the end of your password, and instead work it into the password itself. For example, you can replace an O (the letter) with a zero, like this: k0mand0_scholar. Or sub in a character for a letter it resembles, like this: f@nt@syFormer.
Get this: Researchers examined the password policies of 120 of the most popular English-language websites in the world and found that only 15 followed the above practices. In addition:
- 75% of the examined websites did not stop users from using the most common passwords like “abc123456” and “P@$$w0rd.”
- 45% require specific characters, which potentially frustrate users and are not worth the small benefit in security.
- 19% of the websites used in the study had password strength meters, a valuable security tool for users. And even among those, the meters pushed users to use certain characters rather than focusing on overall stronger passwords.
Sites like Amazon, TikTok, Netflix, Etsy and the Wall Street Journal failed to block leaked and/or easily guessed passwords. Amazon actually allowed the most commonly used password on the web, “123456,” to be used.
Rule No. 4: One simple switch, like adding a character, will not save a weak password. Yes, P@$$w0rd is easy to guess. Instead of one or two words, try a longer passphrase that you can remember and add your finishing touches. Perhaps you choose “my two cats are smart,” which becomes “my2c@tsrSmart.”
RELATED: Best free Windows and Mac security downloads for your computer
Take matters into your own hands
By now, you realize you can’t rely on sites to protect you. Even Amazon will allow shockingly bad passwords. That means it’s up to you.
Rule No. 5: Don’t rely on a website’s strength meter to keep you safe. Researchers proved that even the big ones have lax or lacking rules that hackers know about.
The truth is, remembering complicated passwords for every account is virtually impossible. Luckily, there are tools to help you stay safe.
Password managers are good for almost anyone out there. You need to remember just one super strong password — the master password — to unlock your vault of logins.
Two-factor authentication (2FA) is a must for every account it’s available. Even if you did get lazy with your password, this additional security measure makes it nearly impossible for hackers to break into accounts without the security code sent to your phone or an authentication app. Here’s more information on 2FA.
Rule No. 6: This rule isn’t new, but it’s worth saying again: Never use the same password for multiple accounts. Through a technique known as credential stuffing, hackers use stolen passwords on different services, hoping to find duplicates.
That’s why using unique credentials for every online account is critical. Don’t risk multiple accounts being breached because you use the same password everywhere.
You may also like: Have a DJI drone? Beware of this serious security flaw