How Secure is Your Password?
What you'll learn: How to create secure passwords
EXPECTED READ TIME: 10.5 MINUTES
January 28, 2019
Security. Convenience. Trust. As data breaches and public willingness to share their personal information puts more and more information in the hands of data thieves, learning how to create secure passwords continues to be key in keeping data fraud at bay.
Identity theft and fraud reports in the United States soared to nearly 3 million in 2017, reports the Consumer Sentinel Network of the Federal Trade Commission. At the same time, consumers are growing frustrated by the seeming impossibility of committing long lists of passwords to memory. Instead, they fall back on obvious password patterns, recycled passwords used for multiple accounts, and security questions that turn out to feature the same pets and boyfriends they post about on social media.
So much public data is now available, according to a 2018 report from Experian, that criminals are now able to use information gleaned from one source — say, social media — to break into bank accounts and other resources. Information is everywhere. The Equifax credit bureau breach in 2017 that potentially exposed the data of 143 million Americans included names, Social Security numbers, birthdays, addresses and even credit card numbers.
A strong, unique password for each account you use is one of your best protections against data theft. “PenFed’s top priority is protecting your data,” says Steve Hutchens, SVP Chief Security Officer at PenFed. “Everyone today needs to take time to learn how to create secure passwords to protect the integrity of their data and their personal identity.”
Why password protection matters
It doesn’t take much effort to create strong passwords, but people today have so many passwords for so many accounts that they’ve given up. Take a look at SplashData’s most recent Worst Passwords of Year list, featuring such “unguessable” winners as biteme, admin123, whatever and — wait for it — password. You can feel the user frustration rolling off the screen.
Unfortunately, users aren’t the only ones who recognize and remember these passwords. Data thieves do too. They know that nearly 10 percent of people have used at least one of the top 25 passwords on the list, according to SplashData estimates.
How to create secure passwords
The most secure password is a unique password of 12 or more mixed types of characters, including uppercase and lowercase letters, numbers, and special characters (the ones above the numbers on your keyboard).
A weak password is based on information about your life that data thieves can find on the internet: birthdates for you or family members, names of family members, parts of your address or past addresses, and facts often posted on social media profiles such as your hometown or where you went to high school.
Combining these details or using only parts of them doesn’t make your password any safer. “Don’t use any combination of your birthday and your family members’ birthdays,” advises Hutchens, “and don’t use any portion of your Social Security number or a credit card or bank account number. These numbers are among the most commonly stolen personal data, and they’re one of the first things thieves will try using to break into your account.”
Some people like to follow a pattern when creating passwords that helps them remember each one with a little variation. While this seems like a good way to keep track of passwords, it makes it just as easy for data thieves to crack once they get their hands on a single example.
If you want to use a system for creating your passwords, Hutchens suggests following a different pattern for each type of website: financial accounts, social media accounts, shopping sites and so on. That way if hackers figure out one pattern, they won’t be able to hack their way into the rest of your accounts too. “What you don’t want is for your pattern for keeping track of social media log-ins to give away your financial account passwords,” Hutchens says.
Passphrases vs. passwords
The most secure password isn’t a word at all; it’s a passphrase. Any word from a dictionary is searchable and crackable by data thieves using computers to analyze and crack passwords. The solution? Don’t restrict yourself to using words as passwords. Take things further by using an entire phrase.
A passphrase takes the level of guessability to a whole new level. A good passphrase could represent a line from your favorite song, a quote from a movie or book, or a funny saying in your family. Take the first letter from each word, add a few numbers and special characters, and you have a new strong password that’s difficult to crack but easy to remember.
For example: Jack and Jill went up the hill to fetch a pail of water = j&jwUth2fAp0w
Here the number 2 replaces “to”, “0” (zero) replaces the letter “o”, “&” replaces “and”, and all vowels are capitalized.
Because you only use the first letter of each word of your passphrase, passphrases are a viable choice even if password length is restricted. Remembering your passphrase could be as easy as humming the chorus of your favorite song. You could literally sing your way to stronger password security.
Keep track of your passwords
Keeping track of the ever-growing list of passwords needed for life in the 21st century can wear down even the most determined user. It’s tempting to simply write them all down in a notebook or a file or post them on a sticky note on your desk.
“Writing down passwords and keeping them near your desk at work is probably one of the most obvious ways to lose control of your passwords,” Hutchens says. “It takes just seconds for someone with malicious intentions to spot a sticky note on your monitor, and it doesn’t take much longer to peek underneath your mousepad or keyboard or flip open your notebook to see what might be found.”
Equally dubious is storing passwords on a mobile device — your laptop, tablet or phone — that could be all too easily lost or stolen.
If you absolutely must keep a written list of passwords, Hutchens says, don’t write down the passwords themselves. Instead, write down clues or reminders that will help you remember the passwords. If that’s not practical either, keep your password list somewhere that’s always locked and secure.
Consider password managers
One method of keeping track of all your passwords — and a great way to generate secure unique passwords in the first place — is a password manager. A password manager is a digital app that generates a long, complicated password for each of your online accounts and then stores them on a secure, encrypted server. All you ever need is a single master password.
Password managers are not only convenient but extremely secure thanks to the same type of encryption the federal government uses to protect classified information. Examples of password managers such as LastPass, Dashlane or 1Password may make a solid, reputable choice for handling your passwords. Most store your information on their own secure servers, but some allow you to choose another location for storing your information.
Especially if you want to sync information between all your devices, you’ll pay a small monthly fee for most password managers. The good news is that if you decide you don’t like a particular password manager service, you can export and save your data, delete your account and try another service.
Limit password sharing
With so many accounts and payment methods that require passwords and PINs today, the standard advice to never share your passwords with friends, coworkers or family no longer seems very realistic. How is a family supposed to share a service like Netflix? What if you and a coworker need to share a log-in to an online tool?
Share passwords as needed on a case-by-case basis only to people you know and trust. If someone needs your password for a one-time use, change your password once they’re done and no longer need access. If you’re sharing on a long-term basis, consider a password manager that offers the option to share passwords with several other selected users.
Never give your password to a representative from any company or service. “PenFed will never ask for your password by email, on the phone, via text message, or by any other method,” Hutchens says. “If someone claiming to be from PenFed asks for your password by any method, end the communication and get in touch with us right away.”
How to protect your data online
Make sure you’re on top of these basic strategies for protecting your identity and your online security.
Don’t overshare on social media. Those silly little Facebook quizzes make the perfect gathering spot for answers to so many common security questions: What’s the name of your first pet? What was the first state you lived in? What was make and model of the first car you owned? Don’t make it so easy for online snoops to find out the answers to your secret questions.
Supply false answers to common security questions. Don’t provide the expected (truthful) answers to account security questions. Instead, plug in answers so silly that they’re memorable. Better yet, enter a string of nonsense characters — a strong password — and use your password manager to keep track of them.
Change your password regularly. Hutchens recommends creating a new password every 60 to 90 days. Create strong passwords of at least 12 characters.
Don’t reuse passwords. Don’t reuse the same password for multiple or similar services, especially a password used for accounts tied to your finances. Use a unique password for each account.
Keep your computer and other devices updated. Skipping software updates is a sure path for missing vital security patches that keep you protected from hackers and security issues.
Don’t use public computers to log in to sensitive accounts.
Turn on two-factor authentication. This system requires you to log on with not only a password but also a special code that’s texted or emailed to you when you try to log in. Scammers without a way to receive that code won’t have a way into your account.
Memorize PINs, rather than writing them down. If you do need to record PINs somewhere safe, consider a password manager.
Don’t provide personal or financial information on a website that’s not secure. The addresses of secure websites typically begin with “https://” and the lock symbol. If you don’t see those, think twice about providing confidential information or using that site to make a purchase.
Learn to recognize phishing
More and more of today’s data thieves are getting a toehold into your accounts via so-called social engineering, otherwise known as phishing. Phishers trick their targets into using or revealing their passwords and other data by posing as legitimate companies.
Phishing strategies typically appeal to fear. You’ll receive a message that looks like it came straight from your own bank informing you that your account has been hacked. You’ll see a popup on your computer screen that your computer has been infected with malware and you need to run this process to clean it right away. Other types of phishing attempt to lure victims with offers of money, pleas for assistance or even directives from a legal authority.
Any time you’re confronted with a request or directive via email, chat, text, telephone or even in person, don’t be pressured into immediate action. This is hard to do if you have reason to believe your bank account has been hacked or your computer is infected, but don’t act right away.
Verify the request by contacting the company or person in question through an entirely separate channel; don’t reply to the same email, click any links or call a number that’s been given to you. Look up the main contact information for the company and contact them directly to make sure the offer, request or directive you received came from them.
Don’t click links in an email — even an official-looking email — or open email attachments. These links and files often lead to malware designed to hijack your device or steal your information. You can check where a link actually leads by hovering your mouse over it without clicking. If it doesn’t lead to a genuine website URL, don’t click.
Take action if your data is compromised
PenFed takes the security of your financial information seriously. “We hope you are never faced with cleaning up after identity theft,” Hutchens says, “but if the worst happens, PenFed is here to help.”
If one of your cards or passwords has been stolen or you spot fraudulent activity on your account, contact PenFed immediately by phone. The Federal Trade Commission also provides comprehensive advice on steps to take to deal with identity theft.
Have More Questions about Security? PenFed Has Answers.
Learn more about protecting yourself from online theft and threats.