How many total passwords do you think you have? Five? Ten? Thirty? Now think: How many of the same passwords do you use for entirely different accounts?
That number might be equally as scary. But who could blame you -- from Frequent Flyer numbers to your brother-in-law's HBO GO account, you're probably overloaded with a few too many passwords.
You're not alone. According to a 2013 study by Ofcom, more than half (55%) of adult internet users admit they use the same password for most, if not all, websites.
Though it is easier to remember, using the same password for all of your accounts makes it incredibly easy for hackers to get into your accounts. And if that one password is too simple, it's even easier for other people to access your accounts. You can do better -- and we're here to help. Below are some tips for toughening up your password security.
But we can't make too much fun -- ours may not be much better. A truly secure password is still more complex than your license plate number or mom's maiden name appended with her year of birth. Password strength is a function of length, complexity, and unpredictability. Here are some tips from the experts for making your passwords stronger.
Don't use real words or any identifying information.
The simplest of password cracking tools could guess a password that uses real words -- forward and backward. You should also avoid using proper nouns (including your dog's name), keyboard patterns (qwerty is the obvious one, but any keyboard patterns are easily guessable), letter or number sequences, romantic connections, or biographical information like your date of birth. Words with numbers added to them like "RedSox34" are also easy to crack.
Do use mnemonics.
A mnemonic password is a password that uses a pattern of letters, ideas, or associations that help you remember it better. We did an anonymous survey of password mnemonic techniques, and here were our two favorite mnemonic ideas to replicate:
"I use the same, short sentence for every password, except with one variable word that changes depending on the first letter of the domain. I also replace some letters with their lookalike numbers and add an exclamation point at the end. So "i like ___ in the morning" becomes: 1l1k3____1nth3m0rn1ng! which becomes 1l1k3FRU1T1nth3m0rn1ng! for Facebook, 1l1k3T045T1nth3m0rn1ng! for Twitter, and 1l1k3GR1T51nth3m0rn1ng!" for Gmail.
"I always use my passwords for positive reinforcement. So, for example, if I'm going for a salary raise, I'll change my password to something I aim to do with that raise, like "20dwn0pymnt00." Or, if I have a personal or professional goal I want to achieve, I use my password as a daily reminder of that goal."
Do make them long.
It's more important to create long passwords than it is to create complex ones. Here's why: If every character of your password can be chosen from 62 possible characters (any of the letters "a" through "z," uppercase "A" through "Z," and any number -- and that's even discounting symbols), then a 12-character password has 62¹² possible combinations. The number of possible combinations ends up being a 28-digit number, and will make a high-end password cracking system work really, really hard. Add one more letter, and you have a 30-digit number, and so on. The longer the better. I know, I know, it's a lot to remember -- it'll be easier if you use a mnemonic.
Do have different passwords for every account.
A Microsoft research study found that, for the majority of people, their "growing herd of password accounts is maintained using a small collection of passwords. For a user with 30 password accounts, the problem becomes not remembering 30 distinct passwords, but rather remembering which of 5 or 6 passwords was used. This appears to be done using a combination of memory, pieces of paper, trial and error, and password resets."
Don't settle for default passwords.
Default passwords are the ones vendors send you when you open your account or reset your password. Usually, these passwords are sent to your email address for your to reset -- meaning your archived emails are a jackpot of passwords.
To find these rogue passwords, search your email account for emails containing the word "password" and delete all the results. Search for "login" and "username," too.
Do use a secure password management tool.
Do you reset a password at least once a month? You're not alone. It's really hard to remember more than a few passwords, especially if you're following all of the rules I've told you about here. That's where getting a password management tool comes in. Password managers with good reviews are 1Password, LastPass 3.0, and KeePass.
Do take extra measures to protect your most important passwords.
This includes your bank, investment accounts, and personal and work emails. Make these passwords the longest and most complex of all your passwords.
Until we can do DNA scans to authenticate every account we have, multiple, long, complex passwords are the best we can do. Hopefully, by following these tips, you'll build more secure passwords -- and remember them, too.
What advice do you have for conjuring and remembering good passwords? (Don't include any information about your own passwords in the comments, please!)
Originally published Aug 11, 2014 12:00:00 PM, updated July 28 2017