Strength in Numbers: Securing Your Online Accounts With Strong Passwords

Tony Brumley |

It can be challenging to create secure passwords to protect your accounts. However, you want to ensure that your online accounts—especially your financial accounts—are secure from hackers. You may be asking yourself: how long should I make the password? Should I use characters other than lower-case? How can I make each password different than my other passwords, but still remember it? I have so many online accounts, how do I remember all my passwords?

Following are some best practices to consider when creating secure passwords that can foil cybercriminals and password cracking developers who know all our “clever” tricks.

Use a passphrase. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) now recommend using a passphrase instead of a shorter and more complex password. We recommend password phrases that are a minimum of 20 characters, because as computer speeds increase, the amount of time it takes hackers to crack passwords decreases. Longer is better and more secure when it comes to the length of passwords or passphrases.

Avoid passwords that are easy to guess. Do not use personal information, including your pet’s name, relative’s name, birthplace, favorite sports team, and so on. Hacking tools exist to gather content from social media sites to generate wordlists for a password attack. This makes it easier for cybercriminals to breach your accounts. Additionally, do not use patterns when creating passwords. For example, 123412341234, 1234567890, qwerty, asdfgh, and 1q2w3e4r5t6y7u8i9o0p are some of the most widely used passwords, and they are included in every password hacker’s wordlist.

Do not use a dictionary word as a password. Currently, the longest dictionary word is 45 characters and seems like a very secure password.  However, Dictionary Attacks test every word in the dictionary (and common phrases) in seconds, so even Supercalifragilisticexpialidocious is not a secure password. 

Use special characters or numbers for letter substitution, such as @ for “A”, $ or 5 for “S”, and 1 or ! to replace the letters “I” or “L”. Note that while these passwords are stronger than dictionary words, these are well-known substitutions and Dictionary Attacks will test for these substitutions automatically (password = P@ssw0rd), so you should still aim for a 20 character passphrase. Another suggestion is to use phonetic replacements (“PH” in place of “F”), abbreviations, and/or to deliberately misspell words. If an account requires a number and special character in your password, do not simply add them to the end of your word – such as Password1!.  Password cracking systems build these patterns into their software.

Passwords should be unique for every account. Use different passwords for each account so if cybercriminals crack one password, they will not have access to multiple or even all your accounts.

To manage the complexity of having numerous long, strong, and distinct passwords, use a password management tool.  There are several free password management tools available, along with many affordable options.  Some market leaders are Password1, Dashlane, and LastPass.  For more information on password management tools, look for our future blog.

If you employ these suggestions to create and manage long, strong, complex passwords, your online accounts and the important information they hold will be much better protected against hackers and attacks. If the idea of updating all your passwords feels overwhelming, set up a system for updating. You can update your passwords as you log into your various accounts, or set aside some time on the weekend to sit down and update them in bulk / import them into your password manager. A little effort goes a long way towards keeping your information safe online!

 

 

Portfolio Solutions® does not provide tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction.

All information presented is compiled from sources believed to be reliable and current, but accuracy cannot be guaranteed. This information is distributed for education purposes, and it is not to be construed as an offer, solicitation, recommendation, or endorsement of any particular security, product, or service, nor should it be construed as tax or legal advice. Please click here to see our blog disclosure, which immediately follows the “Applicable Law and Venue” section.