Forgetting your password can be a serious hassle — you need to verify your account, remember your high school teacher’s pet’s middle name, and patiently wait up to a week to unlock said account (looking at you, Apple ID gatekeepers). But given the rise in data breaches—with 22 million records exposed last year alone — it pays to have a strong password both for your protection and privacy. Here’s how to create the right one.
According to Terry Cutler, cyber security expert and founder of Internet Safety University, there are several types of passwords, including letters only, numbers only, and those with special characters. To create a nearly unbreakable password, you want at least 16 to 25 characters, with a combination of letters, numbers and special characters.
“For example, let’s make a strong password out of the phrase ‘I had a great day at work 2019!’,” said Cutler. “First, what I like to do is remove the spacing and capitalize each letter of each word. Now the password looks like “IHadAGreatDayAtWork2019! Next, replace the O’s with zeros and the A’s with @ signs. It’ll look something like “IH@d@Gre@tD@y@tW0rk2019!” (According to Passfault, this password would take 164 million centuries to crack).
Cutler said if you were to stick to only one of those guidelines, use @ signs instead of A’s.
The benefit of creating your own password instead of using an auto-generated one is that it holds personal meaning to you, so it’ll be easier to remember.
“Some experts say to create passwords like Gzz4655!!v662@, and others like me will tell you to create memorable strong passwords. Both methods are correct for the time being because it requires way too much computing power and time to crack these passwords. But as machines get stronger and faster, this will need to be revisited,” he said.
Dangers of autofill
Sure, it’s far easier to type in your username and have the website auto-populate your password, but that’s a security death sentence waiting to happen, according to Cutler. It grants immediate access to your accounts in the event that someone has confiscated your device.
To prevent you from caving in to the autofill trap, he suggested using the new Google Chrome browser that prevents you from using the same password for every website (your securely stored password can be synched across multiple devices as well, he said.).
Behind every strong password is a batch of even stronger security questions. But given the prevalence of seemingly harmless memes that request basic information about you, you might be divulging far more information than you intended.
Steer clear of responding to any posts that, under the guise of generating a fun new name, request, for example, your pet’s name and first street you grew up on. In that vein, you want to create your own security questions that only you would know the answer to, as opposed to using their default questions.
Another way hackers might use your information to access your security questions is through quizzes, according to Cutler. While they seem innocent on the surface, he said many have a clear agenda behind them.
“This a topic that just drives me nuts. I can’t understand why they want to know which Disney horse resembles them, or which movie star resembles them,” said Cutler. “There are a lot of them set up to harvest personal information and preferences from you. Things like your name, your birthdate. Be very wary of quizzes that you have to sign into before you can start. Almost no one ever reads the fine print before they log in to the quiz app, and this is dangerous because you’re allowing the app to see and contact everyone on your friends list, see your profile and copy it, and send advertising to your friends about the quiz,” he said.
Two-step verification or authentication adds another layer of security to even the strongest of passwords, according to Cutler. How it works is that you’ll log in to your account with your password and username, and then the website or social media platform will send a unique code to your mobile device or you’ll use an authenticator app to provide a code. You will then need to input it into the desktop or mobile version of the website. Only then may you begin using the service.
“If you ever worked for a big company back in the early ‘90s, you used to carry a little RSA token around with you where the numbers on it used to change every 30 seconds. This is the exact same concept expect we’re using your mobile phone,” he said.
Two-step verification is usually an optional feature, but Cutler deems it integral to your security. “This advanced security feature should be mandatory and enabled by default on all our online accounts especially in today’s world where there’s so much digital crime and internet fraud on the rise,” he said.
When it comes to protecting your data, try to carve out a little space in your brain specifically reserved for password memory. You’ll thank yourself later.