Identity theft protection: Strong passwords

In my first identity theft risk post on Tuesday, I wrote briefly about changing your passwords, especially those you use for an account at a company that has experienced a data breach. In today’s post, we’ll examine the characteristics of easy-to-hack passwords, review some tactics for creating harder-to-hack passwords, and then talk about using password manager apps.

Security experts talk and write a lot about using passwords that are unique. But what does it mean to be unique in this context? Passwords should be unique in two different ways. They should not be commonly used or easily hackable. And they should be used for only one site: “reuse and recycle” may be a good mantra for using paper goods, but it is dangerous when it comes to passwords!
 

Unique passwords: NOT common or easily hackable

In SplashData’s review of passwords revealed by 2014 security breaches, the most common passwords were “123456” and “password.” If you are using a password like that with a single word or consecutive numbers, you are putting your accounts and finances in jeopardy.

You take the same risk when you use a term that many people would associate with you – your first or last name, your phone number, your favorite hobby or team or the name of your child or pet. My friend Karen, for example, is a huge Bruce Springsteen fan, and her Twitter feed is filled with links to videos and photos of him. If she were to use Bruce or Springsteen as a password, anyone trying to hack her accounts would have an easy time doing so.

But just how do you create a password that is harder to hack yet easy to remember? Try using complex passwords created from phrases, words spelled backwards and a mix of letters, numbers and special characters, as described in my colleague Paul Brucker’s recent article on creating more secure passwords. Also, some of the tips from my 2014 article about creating harder to hack answers to login security questions can be applied to creating passwords.
 

Unique passwords: NOT recycled on multiple sites 

The advice to use a different password for each site you use is too often ignored, especially as the number of logins and passwords we use has grown over the past few years. Many of us know that remembering all of our logins and passwords will be impossible, so we just throw up our hands and use the same one for most sites we frequent. But that means that if any one of those sites experiences a data breach that includes user passwords, every one of your accounts that uses that password will be compromised.

Recycling passwords is especially dangerous when you reuse a password on financial sites, so make sure that your passwords for banking, retirement funds and credit card accounts are not the same ones you use elsewhere. If you do so, you are playing with fire.
 

Password manager apps

If you know that there is no possible way you can remember a unique password for each and every site you use, you might consider using a password manager app. These apps can help you to keep a record of the passwords for every site you use so you don’t have to rely on your memory. Many of them will also help you create strong, complex passwords by either generating a password for you or by rating the strength of your current passwords so you can eliminate any weak ones. Some password managers store the database of your passwords on your computer, but some store them in a “cloud” server, so that you can access your list of passwords from all your devices wherever you are.

Keep in mind, though, that password managers do not ensure online security. Even the best password manager is vulnerable if someone hacks your password to get into the password manager itself. But many security experts feel that the benefit of making it easier to use a unique, strong password for every single site you use makes using a password manager beneficial. Technology sites like CNet, Wired and PC Magazine have published reviews of password management software, so they are a good place to start if you are interested in researching this option.

Before you spend money on a password manager, look on your PC or mobile device to make sure that you don’t already have access to one via other security applications. In researching this article, I found out that the virus scanning product I use on my personal laptop includes a password manager in some of its anti-virus software packages. It turned out, I had a well-reviewed password manager on my laptop all along, but just didn’t know it!
 

Sources: CNet, Wired, PC Magazine, Forbes, CNN Money