6 Ingredients for Better Passwords
Variety is the spice of a more secure online life
The longer you’ve lived online, the bigger your digital footprint, and with that comes greater security risks. As internet citizens and people who have accounts with a multitude of different sites, services, apps and products, we, personally, can do little to prevent a data breach. However, there is plenty we can do to protect ourselves in anticipation of one. Much of that protective action comes down to passwords.
Your passwords protect all of the personal information that resides in your online accounts, from bank balances and credit card numbers to your home address and photos of friends and loved ones. Protecting your accounts with good password practices takes some discipline and will sometimes make it harder to log in to your own accounts. But in today’s internet, it’s worth your effort and a little inconvenience to keep your online life safer.
Passwords are so valuable that thousands of passwords are stolen every day and accounts are traded on the black market. Take these straightforward steps to protect yours.
1. Use a different password for every account
You can’t prevent a data breach, but you can limit your exposure by always using different passwords for different websites.
If a site you use has been breached, change your password right away. When an attacker steals the password database for a site that you use (like LinkedIn or Yahoo), there’s nothing you can do but change your password for that site. That’s bad, but the damage can be much worse if you’ve re-used that password with other websites — then the attacker can access your accounts on those sites as well. To keep the damage contained, always use different passwords for different websites.
2. Create strong passwords
The longer and harder to guess your password is, the harder it will be to steal.
The secret to preventing guessing, theft or password reset is a whole lot of randomness. When attackers try to guess passwords, they usually do two things: use lists of common passwords that people use all the time and make random guesses. The longer and more random your password is, the less likely that either of these guessing techniques will find it. Password managers can help ensure your passwords are truly random (see below.)
3. Make strong security questions
Websites only care about consistency of answers, not accuracy. Give answers to the security questions that are long and random or not easily guessable, like your passwords.
If you’ve forgotten your password, some sites make you answer security questions before you can reset it. The answers to these questions need to be just as secret as your password. Otherwise, an attacker can guess the answers and set your password to something they know.
Randomness can be a problem, since the security questions that sites often use things people know or can learn about you, like your birthplace, your birthday or your relatives’ names. The good news is that websites don’t care if your answers are accurate, so you can give answers to the security questions that are long and random, like your passwords.
If the security question is What was the make of your first car?, instead of providing the answer Toyota Camry, try an unrelated random answer like M3yolVMSoh17pCs4bf (My 3 yo likes Vermont Maple Syrup on her 17 pancakes for breakfast).
4. Use a password manager
Password managers can generate strong passwords for you and fill them into websites so you don’t have to type them in.
These tips may seem overwhelming, but there are tools that can help. Password managers like 1Password, LastPass or Dashlane can generate strong passwords for you, remember them for you, and fill them into websites so you don’t have type them in. Many can even store the long, random answers to your security questions, in case you need to reset your accounts. There are risks in using password managers, since they create a database that has all your passwords in it. That is why you need to still use a very strong “master password” or long passphrase that will be used to encrypt your data in the password manager.
5. Use two-factor authentication
Websites that offer two-factor authentication (also known as 2FA) allow you to use your phone to confirm login attempts.
The other major step you can take to protect your account is to add a “second factor” to the login process. In most cases, the second factor is tied to your phone, which means that even if an attacker has your password, they can’t log in to your account unless they also have your phone. (And vice versa — if your phone gets stolen, they can’t log in unless they get your password.) Websites that offer two-factor authentication (also known as 2FA) provide instructions, but it usually involves entering your phone number or scanning a barcode with a special app. Then, when you log in, the website will ask you for a code from your phone.
6. Sign up for data breach alerts from Firefox Monitor
We can help you learn if your account information is compromised in a data breach or exposed to hackers in some other way.
Firefox Monitor was created in partnership with renowned security expert Troy Hunt. When you do the initial scan, Firefox Monitor will warn you if your credentials have been compromised by comparing it to the public breach data in the system. After that, you’ll have the option to sign up for future alerts.
It’s important to know that not all breach datasets are available for us to scan. If a site reported a data breach yesterday, the data may not be available for inclusion in Monitor. If you have an account, and you’ve heard about a breach, check your inbox for emails from the company. Or even better, consider changing your password, just to be safe.