It’s that time of year when we’re all thinking about how to improve our lives in 2021. It won’t be hard to come up with ideas for how to make next year better than 2020, but when it comes to New Year’s resolutions, let’s try something different from the usual losing weight and eating better.
Let’s get smarter about passwords.
Do you use “12345678” or “password” as your password? Or maybe you use “87654321” or “p@ssword.” Maybe you reuse the same password on your Netflix and Gmail accounts as you do for your laptop login, but for your banking password, you capitalize the first letter and add a number to the end instead. If you’re guilty of any of these bad habits, you are putting yourself, your identity, your assets and even your company in peril. Don’t wait until January 1 to make a change. Fix them now.
Stop reusing passwords across accounts.
You are not alone. A 2019 Google survey found that 52% of people reuse passwords on multiple accounts, and 13% reuse the same password on every account.
Here’s why this is a bad habit: Websites experience frequent security breaches, and when that happens, criminals gain access to the login and password credentials for that site. Then they test them on other sites and sell the credentials to other hackers who test them on even more. If you reuse the same password, those criminals are bound to unlock additional accounts, even if those sites were never breached.
When SpyCloud, which curates the world’s largest collection of breach data, examined password reuse among Fortune 1000 employees, it found that 76.5% reused the same password paired with their corporate email on other breached accounts. This is a problem for consumers and businesses alike.
Pay attention to breach alerts.
In the last few years, your data was probably part of a breach — or several. The company whose data was breached notified you that your information was at risk and forced (or strongly recommended) you to change your password. How often have you changed that same password or variations of it across all your sites?
You would think that knowing a password was in jeopardy would prompt everyone affected to change them, yet, when Google notified users through a Chrome extension that their passwords had been compromised, only 26% of people changed them.
Breaches are so dangerous because they often aren’t discovered until months later, which gives bad guys a long head start. By the time users are notified their data was included in a breach, the criminals have combed through their accounts and identified others that are vulnerable because they use the same passwords. As I explained above, that’s why it is important not to reuse passwords.
If you are notified of a breach, do not ignore it. Follow the directions to protect yourself and update other accounts that use the same passwords.
Use complex passwords.
In addition to recycling passwords across accounts, people tend to use simple passwords that are easy to remember. When SpyCloud analyzed the breach data it collected last year alone, it found 13 million instances of “qwerty123” and 3 million instances of “iloveyou.”
These passwords and their variations are easy for criminals to guess. They keep lists of common passwords and use them in password-spraying attacks, putting accounts with weak passwords at risk even if the user hasn’t reused the password.
While password crackers can figure out just about any password made up of alphanumeric characters, longer and more complex passwords are more difficult. Use passwords that are at least 16 characters in length, with a random combination of lowercase and uppercase letters, numbers and special characters. The reality is that hackers have varying time and computing power needed to crack passwords. The harder you make it for them, the more likely they will give up.
Use a password manager.
Password managers help you generate random passwords and store them so you don’t have to remember different passwords for every site. There are a variety of password managers out there, so choosing one will take a little research. Make sure you pick one that supports whatever platforms you use and also has breached credential monitoring integrated. Most, but not all, work across PC or Mac and iOS and Android. They also vary in what they charge, how many passwords they store and other features.
No matter which manager you use, they all require you to have one master password to access your password manager, so remember what you learned in the previous section on setting strong passwords.
Enable multifactor authentication.
You’ve probably gotten suggestions from your various accounts to set up multifactor authentication (MFA), a security enhancement that requires you to present two separate credentials in order to log in to an account. Usually, those credentials are something you know like a password or PIN, something you have like a digital or physical token or something you are like a fingerprint or retina scan. You typically need to present two of those three, so after entering your password, you might be required to enter a one-time code that was sent to your phone. The idea is that while hackers might be able to discover your password, they won’t also have your phone or fingerprint.
At a minimum, you should enable MFA on your most sensitive accounts, such as your email and financial accounts. Note: You may be presented with the option to have the codes sent to your phone or email, but hackers may be able to intercept them. Getting a physical hardware token is the most secure option, followed closely by using an app such as Authy, Google Authenticator or Duo.
It’s never fun to reset potentially hundreds of passwords, but having to deal with a compromised account, fraudulent purchases, or stolen cash or loyalty points is way worse. Make better password practices part of your plans for 2021, or better yet, start now.