Change your password every 90 days. Use a different password for every account. Use a random combination of letters, numbers, and special characters. Don’t use dictionary words. Don’t write your passwords down.
You’ve probably heard all this advice before for creating passwords. You’re also probably ignoring it—realistically, it’s hard for most people to follow this advice on a day to day basis. When security and usability are at odds, most people tend to favor usability.
But productivity and security don’t always need to be at odds. Here are four password tips you can actually follow:
Change your passwords—sometimes.
No doubt you’ve heard the password advice that you should change your password every couple of months. In some cases, you’re probably forced to do this. While in theory, this is a good rule to follow, in practice, it makes people use predictable passwords. Thankfully, this guideline is falling by the wayside.
But that doesn’t mean you should never change your password. If you have personally experienced a cybersecurity breach, change it. If your company has experienced a breach, change it. If any service you have a log in for experiences a breach, change your password.
If it’s been a few years since you’ve changed passwords, you probably need to go ahead and change it. Over the past few years, most people have had their passwords exposed through a massive data breach, whether it was Yahoo, LinkedIn, Adobe, or another one.
If you use the same password across multiple accounts, you need to change all of them any time you experience a breach. This is the basis for the “use a different password for every account” wisdom: if a cybercriminal gets your password and you use it for every website, they have access to everything rather than just one account.
Use a password manager to create and store passwords.
Creating different, complex passwords for every account is still a best practice. But it’s nearly impossible for humans to do that on their own. So, don’t try—use a password manager instead. A password manager is an app that creates and stores your passwords, so you don’t have to.
All of it is stored behind one master password. You are going to need to make that master password something long and complex. But you’ll only need to memorize the one.
You can use the password manager to help you comply with the best practices that aren’t manageable on your own. Specifically:
- Long, complex passwords that use a combination of letters, numbers, and special characters
- Passwords without dictionary words or personal information (like your kid’s name)
- A different password for every account
- Don’t write your password down or store in an unsecured location.
Most passwords managers have other features to help you outside of just creating and storing passwords. Many can also do things like securely store credit card information and receipts and store information for online form fill.
Use multi-factor authentication on any account possible.
Most cybersecurity experts agree that a password on its own is not enough to protect an account anymore—they’re just too easy to crack.
So, in addition to using password manager to create and manage strong passwords, you should use multi-factor authentication (MFA) on any account possible. Sometimes also called dual-factor authentication, MFA protects your account by adding another layer of authentication. Even if a cybercriminal gets your password, your account is still protected if they don’t have that second layer.
Many services offer multi-factor authentication or two-step verification (a very similar but technically different process) for free. We recommend turning it on for any account possible, both personal and professional. For most accounts, this will in your settings. For company controlled accounts, check with your IT team.
Don’t use real answers for security questions.
If you forget your password, many websites still rely on security passwords. Unfortunately, most of these use the same set of questions—things like your mother’s maiden name and the street you grew up on. That information isn’t hard to find out about someone else.
To get around this, don’t use real answers for security questions. Make up answers that only you know. If you don’t think you’ll remember the answers, try basing the answers on a character. For example, if you’re using Harry Potter, you’d use the street he grew up on (Privet Dr.) instead of your own street. Just make sure you don’t do anything to reveal the character if there is a hint option.
As cybercrime evolves, so does cybersecurity. Many cybersecurity experts consider passwords to be one of the weakest links in cybersecurity, largely because most people don’t follow best practices. Microsoft is slowly working to phase out passwords entirely.
But in the short term, they’re here to stay. So, follow these tips to strengthen your password practices without sacrificing productivity.