Are your passwords as strong as they can be? For many users, self-created passwords are not nearly as secure as they should be.
Trustwave, a Chicago-based information security firm, revealed in 2013 that a massive security breach compromised nearly 2 million websites and social media accounts in more than 100 countries. In the breach, 1.58 million website login credentials and 320,000 email account credentials were stolen, including those of Facebook, Google, Twitter, LinkedIn and Yahoo. Payroll service provider ADP was also affected.
Since then other breaches have dwarfed that, including the 1.5 billion Yahoo accounts and 145 million eBay user accounts in 2014. In 2016, 412.2 million Adult Friend Finder accounts were breached.
Although the Trustwave breach was likely due to malware installed on individual computers, the report also analyzed the stolen passwords and found that many users have become careless when creating passwords. Despite best practices and security advice frequently provided by account providers, the top two stolen passwords are "123456" and "123456789," the report states. Furthermore, thousands of people are still using similarly simple passwords, such as "password" and "admin."
When it comes to password strength, the report found that only 5 percent of stolen passwords were classified as "excellent." While 44 percent of passwords were considered to be of medium strength, at 34 percent were considered weak passwords.
In fact, some of those who do follow "best practices" may still be at risk. Bill Burr, formerly of the National Institute of Standards and Technology now says that his 2003 guide to creating strong passwords could be all wrong. He told the Wall Street Journal, "Much of what I did I now regret." Partly that's because his advice may have led to the current state of password apathy.
For instance, following his advice, you might create a password like P#ssWrd1? But that's easier to guess than you think. He had also recommended you change your password every 90 days, but that led people to make tiny incremental changes like P#ssWrd2?, which is still guessable and leads to a false sense of security.
Creating stronger passwords, however, isn't rocket science. Here are five tricks to making safer, more secure passwords to better protect private accounts.
1. Be unique — avoid recycling passwords
"Never reuse the same password for multiple accounts," said Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack Security, a malware analysis and anti-virus software company. "It’s a bad habit to get into."
Although it's easier to use the same password for several accounts, the convenience can result in exponentially more damage if compromised, Glenn said.
"For example, if malware records only Gmail account information, but the same password is used across a variety of sensitive sites, such as an online banking or retail site, cybercriminals can easily hack into all accounts and obtain personally identifiable information (PII) for nefarious purposes," he said.
To keep track of passwords, Eduard Goodman, chief privacy officer at Identity Theft 911, wrote in a blog post that users should store passwords in a secure place. Goodman recommends password managers such as PasswordBox, LastPass and RoboForm.
2. Be creative — use uncommon, nonsensical combinations
While using the names of loved ones, pets, favorite sports teams and other personal details may help users remember their passwords, doing so also makes it easier for hackers to access their accounts.
"We may think we are clever, but with the billions of password users on the planet, the likelihood is someone has come up with the combination before," said Tom Smith, vice president of Identity and Access at Gemalto, a digital security provider.
Due to the rise in security breaches over the last few years —most notably Adobe and Facebook hacks in 2013 — millions of passwords are available in databases for criminals to leverage in cyberattacks, Smith said.
"This type of attack is referred to as a 'Dictionary Attack,' or an attack where a password is searched systematically against all other passwords in a 'dictionary' or a specified list of existing passwords," Smith said. Because these passwords are derived from past breaches, using them increases the likelihood of the so-called "unique" password being compromised once again, he said.
To come up with more creative passwords, Goodman advised users to "shake things up a bit." One way to do so, he wrote, is to combine upper- and lowercase letters, numbers and symbols. For instance, users can turn a simple password like "happy777" into a stronger one like "H@pea!931." But you should avoid common words like Password as a basis. Another way is to take a lyric, line, or saying and shorten it into an acronym, such as turning "'Twas the night before Christmas and all through the house" into "TtnbCaatth."
3. Be lengthy — make your passwords long
Most services require a password that is at least eight characters long. In reality, users will need more than that to have a truly secure password.
"The longer the password, the harder it is and longer it takes cybercriminals to crack the password," Smith said. "The typical rule of thumb has been eight characters, [but] this is no longer sufficient. As with all things in the realm of technology, password-cracking programs have become faster, and some boast the ability to make 350 billion guesses per second, which means they can crack an 8-character password in seconds. For users to protect themselves, experts now recommend passwords containing at least 13 to 20 characters."
4. Be smart — use two-factor authentication
If a website offers two-factor authentication, use it — two-factor authentication adds an extra layer of protection that makes it harder for cybercriminals to access an account.
"Many sites are now offering two-factor authentication or a login that requires both a password and another form of identification, such as a code from a mobile device," Glenn said.
Other types of secondary identification include secret questions that only the user knows the answer to, a personal identification number (PIN), biometrics or a physical token attached to a device.
"With two-factor authentication, even if an attacker steals users’ login passwords, they won’t be able to access their accounts without the second form of identification," Glenn said. "Take advantage of this security feature when available."
5. Be unpredictable — change your password regularly
Lastly, there's the classic rule of frequently changing your password. Glenn and Goodman both recommended changing passwords at least every few months or on a quarterly basis, respectively. But know that this is no longer universally accepted as necessary unless you have been breached. To find out if your information is out there, check out Have I Been Pwned? where you can search your email address, username or password to see if they have turned up in any reported breaches.
Additional reporting by Anna Attkisson