Our online passwords are the gatekeepers to our most sensitive, valuable information ― and yet so many of us choose weak options that are easily breached. (Sorry to tell you, but it’s time to retire “Password123.”)
For cybercriminals, “the No. 1 method of entry these days is credential theft,” explained George Kamide, co-host of the cybersecurity podcast “Bare Knuckles and Brass Tacks.” “It’s so much easier for me to get your password somewhere else and try that than for me to sit there at [your] email and and try and get in, because … most systems are going to lock you out after three bad tries.”
But it doesn’t have to be this way. A password is actually “one of the cybersecurity choices users have real control over,” explained Aaron Pritz, CEO of cybersecurity firm Reveal Risk.
To make more secure choices, HuffPost asked cybersecurity experts about the password rules they personally follow. Read on for their lessons:
1. They use password managers.
Every data security expert HuffPost talked with uses a password manager and advises people to use one too.
Instead of writing your passwords down somewhere you might lose and a criminal might find, a password manager does the work of generating and remembering unique, strong passwords for you.
“Your password manager is logged in on your phone or on your computer, and you’re letting it create the password. So it might put a 32-character password in there. It puts that password in your vault,” explained Aaron Pritz, CEO of cybersecurity firm Reveal Risk. This way, “you don’t even have to remember the password, which is kind of nice.”
“It reduces your cognitive load to remembering one master password,” said Kamide.
Maril Vernon, a security architect and certified ethical hacker, said that even in the event that a password manager company itself got hacked, this is not as bad as other breaches, “because the password manager company doesn’t actually store your master password to unlock your vault.”
In other words, even if a criminal downloaded a copy of your password manager vault, they cannot see your passwords because only you have the master password.
2. They use multi-factor authentication.
Many passwords will also give you the option to turn on “two-factor authentication” and you should always select this feature, experts said.
A multi-factor authentication that requires a texted or emailed code to login is your final failsafe in case your password manager is breached.
“When I use a password manager, I have a master password, and I also have authentication code that I use through an authenticator that changes basically like every minute,” Kamide said. This way, you’re “massively reducing the probability” that somebody is going to guess your password, he said.
3. They never reuse passwords.
“If a website gets breached, criminals will sell your account details to other criminals or use those login details on other sites,” Pritz warned.
And no, just tacking on a new number to your same password does not change your password enough.
“I recently saw some exposed company accounts and passwords publicly available on a criminal leak site for a company we were helping. I could quickly see that ‘John’ used his wife’s name and a sequential number that he would increase by one each time he had to reset it, on all his passwords,” Pritz said.
“Since he was using the same password across sites, one could get into his bank account or other important accounts very quickly,” he added.
4. They do use sentence-long, complex passwords.
“Please use a password manager. If not, please use really, really long passwords over complex passwords with random characters,” Vernon advised.
That’s because the longer your password is, the harder it is for computers to figure it out.
One cybersecurity firm estimated it could solve a seven-character password in just two seconds even when the password had numbers, uppercase letters, and lowercase letters, but a 12-character password with numbers, upper- and lowercase letters would take six years to solve.
“Length is key, and if you need extra length, numbers and random characters will help you,” Vernon said. “But the problem is, people use commonly available numbers like ‘2025.’”
So do pad your passwords with more characters, but do not use commonly used answers like current years or birthdates.
Just how long should a password be? Vernon said a long password should be at minimum 16 characters to safeguard against potential hacks, and her own passwords are at least 44 characters, because it would take even the most advanced AI hundreds of years to crack that password.
That’s why security experts recommend choosing a sentence as a way to make your password longer. Kamide gave the example of using your favorite Taylor Swift lyrics, as one example, and then adding numbers to make it more complex.
You can also simply choose groups of random words, because this type of combination is much harder for a cyber criminal to crack, Vernon said.
In other words, do not just pick multiple cities or related foods as your password combination. “If you do something like ‘correct-horse-battery-parakeet’ ― those words are not associated, so it’s much harder to dictionary-attack them,” she said.
Ultimately, setting up a secure password can take more time, but what you decide can be the difference between a hacked bank account and a frantic call to your credit card company, and your peace of mind. Choose wisely.