Your password can ruin your life. I know that sounds dramatic, but it’s true. If someone figures out your email password, you’re in trouble. Social media? Even worse. Once hackers access your online bank account, they can wreck your finances, and you may feel the repercussions of that break-in for years.
It seems not a week goes by that we don’t hear about another data breach. How do you know if the hackers have your info? Click here to find out whether your email has been hacked or stolen.
Most of us have the wrong idea about passwords. We think they have to be convoluted messes, like F$%Th5l2K!&. This theory — that passwords should be nonsensical and hard to remember — reigned for years.
It started in 2003 with guidelines from the National Institute of Standards and Technology (NIST), which insisted on random combinations of numbers, letters and symbols. The organization’s manager, Bill Burr, spread this gospel for years. But in a recent interview with the Wall Street Journal, he admitted that this wasn’t nearly as effective as he’d thought.
Thanks to a new round of research, cybersecurity experts have changed their tune. Yes, you should still avoid guessable passwords like “p@ssword1” or “letmein.” But a strong password also can be logical, fluid and easy to remember.
1. Passwords should withstand 100 guesses
This is the most important part: No matter what your password is, it should withstand 100 guesses, which means it shouldn’t be tied to any public information about you or your family.
Hackers often turn to your social media profiles to find information about you, such as your birthday and the name of your pet. And a little data goes a long way. Experts believe criminals can guess the average person's password nearly 73 percent of the time, and they can often access other accounts by using slight variations of the same password.
Facebook is all about making it easy to share your life with your friends and family. Unfortunately, there are some things you shouldn't share online. These bits of information can put you in danger of identity theft, losing your job or causing other major headaches.
2. Use a phrase
Instead of thinking of your password as a secret code, think of it as a “passphrase.” These are strings of words that are both easy to memorize but hard for anyone else to crack.
Suppose you wanted to be an astronaut when you were a kid, and your favorite color is fuchsia. You have never mentioned these facts online, and only your mom knows such trivia about you. You could compose a passphrase like “ilikefuschiaastronauts.” You’ll never forget it, and the passphrase will confound hackers for (literally) centuries.
I told how to create a great passphrase a little over a year ago, and the advice is still valid.
3. Go long
You might want to sit down for this one: The new NIST guidelines suggest allowing users to create passwords up to 64 characters long. As if that isn’t weird enough, the guidelines also allow spaces between words. While many people just try to meet the minimum requirement of eight characters, you will get a much stronger password by stretching things out.
You could theoretically create a complex list or sentence, which still makes perfect sense to you. You could list all your pets’ names from childhood, like “fluffy princess rex spike booboo chewie,” or all the streets on the way to your favorite restaurant,
like “academy main washington ohio central.” Easy to remember. Hard to crack.
4. Don’t change your password until you have to
Until recently, consumers were advised to change their passwords every three months. But as NIST’s Paul Grassi recently told the Institute of Electrical and Electronics Engineers, “Expiration isn’t a motivator to create a brand-new password, it’s motivation to shift one character so you can remember the password.”
If you’ve created a strong password, then don’t worry about changing it out all the time. Just stick with it unless you’ve been notified of a security breach that requires a password reset.
5. Choose something memorable
Remember, all passwords should be unique, but they don’t have to be cumbersome. NIST calls passwords “memorized secrets.” You want to avoid the temptation to write them down, so pick passwords that mean something to you and will stay in your mind.
I’m not a big fan of password managers. I commit my passwords to memory. But if you cannot do that, here’s a free program that will help you store your passwords safely and easily.
6. Get creative with characters
It may take websites some time to catch up to the latest NIST guidelines, but you can still create a memorable password that meets current restrictions. Go back to Burr’s advice on passphrases. You might choose something like “ArizonaCardinalsfootballisnumber1!” or “Igivemyjob1000%everyday.” Those meet the requirements of having at least eight characters, a special character, and upper and lowercase letters.
7. Use two-factor identification
While passwords help protect your information, cybercriminals are more sophisticated than ever. If they break into your accounts, you may not recognize the damage until it’s too late.
Months passed before the public learned about the Equifax breach, and it’s hard to assess how much information was leaked and how it will be used.
That’s why two-factor identification is so important. Using text messages, emails or special apps, an account-holder will receive a notification every time a password is changed, or when it’s entered on a new device or at a new location. You will have to verify that it’s you trying to gain access.