A Password Management Primer

The weakest link in your cybersecurity set-up may also be the most overlooked aspect: your passwords.

Think about it. When you open an account, how much time do you spend considering your password? A few seconds? Or, even worse, do you just reuse the same password for every account?

Poor password management can derail all the other security efforts you’ve made to safeguard your personal identity and financial assets. It’s similar to leaving the key in the front-door lock to your home; you’re making it far too easy for intruders to gain access. And with the average individual having 27 online accounts that require a password, your life can suddenly become much more challenging if your passwords are compromised.¹

Research continues to evolve regarding password best practices in order to stay ahead of cybercriminals. While some of the following advice may sound familiar, others are based on new information.

Don’t get personal: Your job is to make life difficult for a hacker. Providing personally identifiable information (PII) in your passwords—such as your name, birthdate, home town, house number or pet’s name—that cybercriminals can uncover through public records or social media accounts gives them a head start at cracking your passwords.

Emphasize length: Generally, longer passwords are less likely to be cracked. Focus on generating passwords that are at least eight characters; even bumping them by a few more characters makes your password exponentially harder to guess.

Also, when possible consider using passphrases instead of a password built around a single word or a series of letters, characters and numerals. The passphrase should consist of at least several words. (It’s fine to use a nonsensical collection of random words.) Choose a passphrase that’s easy for you to remember, but don’t include any PII.

Use a unique password for each account: With an estimated 66% of Americans using the same password for multiple accounts, this won’t be popular advice.² But it’s essential for your security.

Developing a password for every account limits the damage if your credentials are compromised. If you reuse passwords and a hacker steals that password, they can go on a devastating spree across multiple accounts that could wipe out your savings, max out your credit cards, hijack your social media accounts, seize your private photos, gain access to your contacts, damage your reputation and more.

Test your passwords: You might think your proposed password is airtight. But is it really? It’s best to check your password against a list of commonly used or easily compromised passwords before adopting the password. Some software tools will compare your password against previously held or exposed passwords for you.

Keep passwords confidential: In short, don’t share your passwords. That’s especially true when someone initiates a conversation with you and requests your password.

In general, keep your password as private as your PIN numbers. It’s that important.

Choose good security questions: Many service providers require you to supply the answer to a password recovery question when setting up your account. (You may need to provide the answer if you forget your password or want to change it.)

Avoid questions that hackers might be able to easily obtain or guess the answer, such as the name of your street or pet. You can also make up your own nonsensical answer to the question that no one else would guess.

Additionally, providers may provide a “hint” if you forget your password to prompt your memory. Remember that anyone who accesses your device will be able to see that same hint.

Avoid password auto-save: Computer browsers often offer to save your passwords and automatically enter them for you when you log into your accounts. It’s so tempting to take advantage of this because it speeds the log-in process and avoids taxing your busy mind.

But it’s a risky practice. If a cybercriminal hacks into your system, all your saved passwords will be available to them. And if anyone else in your household has access to your computer or phone, they’ll be able to see your passwords, too.

Enable the “show password” option: How many times have you been frustrated by being unable to see what you’re entering in the passcode field of your log-in screen because it’s disguised? Some companies now allow you to clearly view what you’re typing.

While it seems counterintuitive, making your password visible can be a good idea (when you’re in a secure environment). It enables you to catch your typing mistakes, and avoid unnecessary password resets due to mistakenly thinking you’ve forgotten your password. Resetting passwords too often leads to an increased potential of data exposure.

Be careful where/how you enter passwords: Entering your passwords on public or shared computers or when using public Wi-Fi intensifies the risk of having your passwords compromised.

If you’re forced to use a public computer, log off after your session and check to make sure the computer didn’t automatically save your password. And if you enjoy browsing your accounts while outside your home, access them through a hotspot created with your phone or a virtual private network (VPN), which provides a secure, encrypted connection instead of trusting public Wi-Fi.

Use multi-factor authentication: Applying multi-factor authentication (MFA) can strengthen your password security by protecting access to your accounts. MFA requires you to provide two or more credentials when logging into your account. Doing so makes it more challenging for hackers because they’ll need to supply more than your password to access your account.

Are you tired of keeping track of all your passwords? Exhausted by the thought of creating a unique password for every account?

A password manager might be right for you. It’s essentially a digital vault that securely creates, encrypts and stores unique, complex passwords for every account. You then only need to remember your master password for your password manager app.

Many password managers will review your existing passwords for you first, and tell you if they should be updated because they’re weak, reused or have been exposed in data breaches. (If so, they’ll generate new passwords.) Some also give you the time-saving option of auto-filling online account forms with your billing address, credit card information and other pertinent data. When choosing a password manager, look for well-regarded ones that utilize the latest security options available and will work across all your devices.

If you’re concerned about having all your passwords in one location, here are a couple of things to keep in mind. First, use MFA with your password manager for greater protection. Second, even if a hacker breaks into your vault, your information will likely be useless to them because it’s encrypted.

One final piece of advice. Although passwords managers can be a significant boost to your security and peace of mind, you still need to do your part by applying overall sound password management practices.