Your password can ruin your life. I know that sounds dramatic, but it’s true. If someone figures out the password to your email, you’re in trouble. Social media? Even worse. Once hackers access your online bank account, they can wreck your finances, and you may feel the repercussions of that break-in for years.
It seems not a week goes by that we don’t hear about another data breach. How do you know if the hackers have your info? Click here to find out whether your email has been hacked or stolen.
Most of us have the wrong idea about passwords. We think they have to be convoluted messes, like F$%Th5l2K!&. This theory reigned for years—that passwords should be nonsensical and hard to remember.
It started in 2003 with guidelines from the National Institute of Standards and Technology (NIST), which insisted on random combinations of numbers, letters, and symbols. The organization’s manager, Bill Burr, spread this gospel for years. But in a recent interview with The Wall Street Journal, he admitted that this wasn’t nearly as effective as he’d thought.
Thanks to a new round of research, cybersecurity experts have changed their tune. Yes, you should still avoid guessable passwords like “[email protected]” or “letmein.” But a strong password also can be logical, fluid and easy to remember.
1. Passwords should withstand 100 guesses
This is the most important part: No matter what your password is, it should withstand 100 guesses, which means it shouldn’t be tied to any public information about you or your family.
Hackers often turn to your social media profiles to find information about you, and a little data goes a long way, such as your birthday and the name of your pet. Experts believe that criminals can guess the average person’s password nearly 73 percent of the time, and they can often access other accounts by using slight variations on the same password.
Facebook is all about making it easy to share your life with your friends and family. Unfortunately, there are some things you shouldn’t share online. These bits of information can put you in danger of identity theft, losing your job or causing other major headaches. Click here for five of the biggest offenders you should not put on your profile.
2. Use a phrase
Instead of thinking of your password as a secret code, think of it as a “passphrase.” These are strings of words that are both easy to memorize but hard for anyone else to crack.
Suppose you wanted to be an astronaut when you were a kid, and your favorite color is fuschia. You have never mentioned these facts online, and only your Mom knows such trivia about you. You could compose a passphrase like “ilikefuschiaastronauts.” You’ll never forget it, and the passphrase will confound hackers for (literally) centuries.
I actually recommended and told you how to create a great passphrase a little over a year ago. The advice is still valid. Go here to come up with your own.
3. Go long
You might want to sit down for this one: The new NIST guidelines suggest allowing users to create passwords up to 64 characters in length. As if that isn’t weird enough, the guidelines also allow spaces between words. While many people just try to meet the bare minimum requirement of using eight characters, you will get a much stronger password by stretching things out.
You could theoretically create a complex list or sentence, which still makes perfect sense to you. You could list all your pets’ names from childhood, like “fluffy princess rex spike booboo chewie,” or all the streets on the way to your favorite restaurant, like “academy main washington ohio central.” Easy to remember. Hard to crack.
4. Don’t change your password until you have to
Until recently, consumers were advised to change their passwords every three months. But as NIST’s Paul Grassi recently told the Institute of Electrical and Electronics Engineers, “Expiration isn’t a motivator to create a brand new password, it’s motivation to shift one character so you can remember the password.”
If you’ve created a strong password, then don’t worry about changing it out all the time. Just stick with it unless you’ve been notified of a security breach that requires a password reset.
5. Choose something memorable
Remember, each password should be unique, but they don’t have to be cumbersome. The NIST calls passwords “memorized secrets.” You want to avoid the temptation to write down passwords, so pick a password that has enough meaning to you to stay in your mind.
I’m not a big fan of password managers. I commit my passwords to memory. But if you cannot do that, here’s a free program that will help you store your passwords safely and easily.
6. Get creative with characters
It may take websites some time to catch up to the latest NIST guidelines, but you can still create a memorable password that meets current restrictions. Go back to Burr’s advice on passphrases. You might choose something like “ArizonaCardinalsfootballisnumber1!” or “Igivemyjob1000%everyday.” Those meet the requirements of having at least eight characters, a special character, and upper and lowercase letters.
7. Use two-factor identification
While passwords help protect your information, cybercriminals are more sophisticated than ever. If they break into your accounts, you may not recognize the damage until it’s too late.
Months passed before the public learned about the Equifax breach, and it’s hard to assess how much information has been leaked, nor how it will be used. If you haven’t checked to see if your personal details are in the hands of cybercrooks, click here and do it now.
That’s why two-factor identification is so important. Using text messages, emails or special apps, an account-holder will receive a notification every time a password is changed, entered on a new device, or at a new location. You will have to verify that it’s you attempting to gain access.
How do you do this? Click here and I’ll walk you through just a few steps to set it up.
What questions do you have? Call my national radio show and click here to find it on your local radio station. You can listen to the Kim Komando Show on your phone, tablet or computer. From buying advice to digital life issues, click here for my free podcasts.
Recovering from Equifax, improving passwords, throwing Google off your scent, and more
Q&A with Kim: Meshing your Wi-Fi network, Taking control of Autocorrect and more