By Vanessa McGrady and Zhenia Vasiliev
As you sit and try to remember what the new password is for any of your online accounts, chances are, a hacker already knows what it is.
Because so many people use the same combination of words or similar logic to create passwords, about 90 percent of them are predictable—thus hackable.
In some cases, it may seem like a weak password is no big deal and someone can only do so much harm logging into your Facebook account. But that website may reveal clues that can help someone crack into more critical accounts, like your financial institutions, health care, or email. Or it could enable someone to hijack your email and social media accounts and wreak havoc to your networks under your name
What is a good password?
Password expert Lorrie Faith Cranor is a professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she's the director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She says that in general, the longer the password, the better—and better still is if it has elements of randomness.
“It's more of a spectrum than a hierarchy. Fifteen random characters is good and 18 is even better, and 25 is even better, but the longer you go, the more annoying it is to use the password," she says.
The inherent trouble with a long and complicated password is that it's harder to remember. Cranor suggests a couple tricks to come up with something original and memorable that a computer program running trillions of guesses might miss. The first is to crack open a book and pick three words from different pages and string them together. Another is to think of a sentence —but not something as common such as song lyrics or your favorite sports teams cheer—and use first one or two letters of each word in the sentence. Add some capitalization and punctuation, but not in the obvious places, so don't put your capital letter as the first letter. Instead, put it somewhere in the middle. A sentence like, “She has flowers on her dress!" would translate to sHhaFl0nheDr!
How to stay safer online
Cranor warns against using the same password for every account. “Save your really good passwords for the important accounts," she says. And hopefully, your home and business network are secure too, so even if they do get hacked, you're not making it easier for someone to steal your information.
Last year, Sony was victimized by a large hacker attack, and accused of having weak network security. Once the hackers got in (and it's still unclear exactly how), they found unencrypted files that led to employee passwords and other vulnerable information like credit card numbers, salaries, performance reviews, confidential emails, and home addresses. One “don't" you usually hear from your IT person at work is to never write down your password —but actually, that's OK, says Cranor. Just don't put it on the computer or in an obvious place, like on a Post-It on your monitor.
You can also use one of several digital password managers on your computer to help keep track. “The only people who are going to be able to get your password if it's written down are people who have physical access to wherever you wrote your password down," Cranor says. "All the attackers on the internet, they're not going to be able to access your written-down password."
10 most common passwords
Did you know?
- More than 3 in 10 people share their password with a friend. Nearly 25% of people add friends on Facebook whom they don't know.
- 68.4% of people use the same password for multiple sites.
- 71.8% know that losing a social security card has the potential to cause the most harm when in the hands of an identity thief, compared to losing a credit card or driver's license.
- 65.5% know that a credit freeze prevents new accounts from being opened in your name.
- 76.3% know to check their credit report to find out if someone has opened a new line of credit in their name.
Survey: When did you last change your online banking password?
- 8% Within the past week.
- 13% Within the past month.
- 13% Within the past 3 months.
- 9% Within the past 6 months.
- 4% Within the past 9 months.
- 6% Within the past year.
- 15% Over a year ago.
- 15% Don't know / Can't recall.
- 17% Not applicable - I do not have this type of account.
The FBI's top tips to protect your password
- Do not provide information about yourself that will allow others to answer your security questions—such as when using “I forgot my password" feature.
- Beware of unsolicited contacts from individuals in person, on the telephone, or on the Internet who are seeking corporate or personal data.
- Avoid accessing your personal accounts from public computers or through public Wi-Fi spots.
- Whenever possible, encrypt communications with websites. It may be a feature social network sites allow you to enable.
- Only install applications or software that come from trusted, well-known sites. “Free" software may come with malware.
- Verify what information applications will be able to access prior to enabling them. Once installed, keep it updated. If you no longer use it, delete it.
- Do not store any information you want to protect on any device that connects to the Internet.
- Always use high security settings on social networking sites, and be very limited in the personal information you share.
- Monitor what others are posting about you on their online discussions.
- Use anti-virus and firewall software. Keep them and your browser, and operating systems patched and updated.
- Change your passwords periodically, and do not reuse old passwords.
- Do not automatically download, or respond to content on a website or in an email.
- Do not click on links in email messages claiming to be from a social networking site. Instead go to the site directly to retrieve messages.