Having a compromised account is bad news. At best, it means some headaches. More likely, it’s going to cost you money and resources, not to mention lost customer trust (and some headaches).
Often, the only thing standing between you and a compromised account is your password. And most people are pretty terrible at making up passwords. Most of fall into the same habits when creating passwords, making them really easy to guess.
If any of these sound familiar, it’s time to change your ways.
You use common elements when you create a password.
Even if your password isn’t on a list of the top passwords used, many people follow the same trends in passwords. The most common elements include:
- Family Name (including your spouse’s name, kids’ name(s), pet names)
- College name or mascot
- Significant Years (including birth year, graduation year, anniversary year, or current year)
- Company name
- Sequential letters or numbers (like qwerty or 1234)
If you’re using letters and numbers, you’re probably just combining a couple of the tactics above. It wouldn’t be surprising for someone who graduated from Clemson University in 2008 to have a password like “tigers2008”.
You follow a common format.
Even when you’re required to use a combination of uppercase and lowercase letters, numbers, and special characters, you’re probably following a pretty common format. You likely capitalize the first letter of a word, then put numbers, then a special character.
Our Clemson graduate above? If they need a more complex password, they would probably do something like “Tigers2008!”
You follow patterns when you create passwords.
In the list of best practices for creating passwords, having a different password for every account is near the top. The thing is—it’s hard to remember a bunch of different passwords. Even if you do have a different password for every account, you probably use some sort of pattern, so you can remember them. Once a cybercriminal figures out the pattern, they know all your passwords.
Let’s look at our Clemson friend again. Let’s say they want to use a different password for every site. They add the first two letters of the site name to the end of their passwords. So, for Linkedin they use “Tigers2008!LN” for their password. If they haven’t changed it since the massive LinkedIn breach from a few years ago, it wouldn’t be hard for a cybercriminal to figure out their password for other sites, even though it’s not exactly the same.
You go password walking.
Another commonly touted password best practice is to change your passwords frequently. A lot of businesses force this on their employees with password policies. But, like having a different password for every account, it’s hard to remember a password that changes every 90 days.
So, most people only change one digit when they have to change their password frequently – sometimes know as password walking. It’s just easier to remember. It also makes it pretty easy to figure out what your current password is, if a cybercriminal knows an old password of yours. The new one is probably pretty similar.
Back to our Clemson alumnus. If their current password at work is “Tigers2018!1”, their next password will probably be “Tigers2018!2”.
So, what can you do?
Use a password manager.
This biggest hurdle to creating strong passwords is the ability (or lack thereof) to remember them all. Password managers solve that for you by storing your passwords. You just have to remember the one password to get into it. Most password managers can also generate strong passwords for you, so you won’t fall into one of the habits above.
Use multi-factor authentication.
If a cybercriminal does get your password, whether it’s because your passwords are easy to guess or some other method, multi-factor authentication (sometimes called two-factor or dual-factor authentication) can prevent them from getting into your account. It requires a second form of authentication, like a one-time passcode. Implement this (or two-step verification) on any account possible. It can be annoying, but it can save you from a lot of headaches.
Even if you don’t fall into these habits, using a password manager and multi-factor authentication have become the new standard for password best practices, and you’d benefit from using them.