Passwords are keys. Would you use the same key for your house, car, mailbox, and vault where you keep all your money? No way. Would you keep using the same key after you know someone has a copy? Absolutely not, but this is what you might be doing. Almost everyone has had their login information stolen. Go ahead and check your email and usernames on this website: https://haveibeenpwned.com. There have been so many breaches that a huge number of accounts have been compromised.
How to fix it
There’s a lot of bad and complicated information out there about passwords. I’m going to make it easy with three simple rules. Make them different, long, and easy to remember.
- Make them different. Reusing passwords is like using the same key for two things. If a person gets access to one, they can access everything else that uses the same key/password.
- Make them long. The difficulty of guessing or cracking your password goes up exponentially with length. The longer the better (at least 12 characters).
- Make them easy to remember. This is partially dependent on your choice of password management (which we will discuss below), but you’re going to have to remember at least one password. Make it easy to remember.
Sentences work well for these rules. Example of good passwords:
- I went to Keeneland in 2015.
- Pizza is the #1 food!
- My 2nd child’s name is Ashley.
These are long, easy to remember, and they satisfy the requirements that most websites have (a number, lowercase letter, uppercase letter, and special character).
Having a different password for everything is a lot to remember. I don’t think it’s reasonable to expect yourself to remember them all, and keeping them saved in your phone or computer isn’t safe either. So there are two methods of password management that I would recommend: using a password manager and having a hard copy (on paper).
Definitely the best of the two options. Password managers are programs that keep all your passwords saved in them. You will use a master password to access them.
- You only have to remember a single master password (make sure it’s long, at least 20 characters).
- Convenient ones have browser plug-ins that make it extremely easy to access any website. You don’t even have to type in your password--it does it for you.
- They include password generators that can generate strong passwords for you.
- If someone is able to get your master password, they have access to your other passwords. For this reason, I don’t recommend putting your email or bank password in there. See the additional information heading below for why.
Password managers can be confusing for some people. If that’s the case for you, you still need to use different passwords. Since that’s a lot to remember, just write them down. Many people have been taught not to write down your passwords. This is generally good advice, but if it encourages you to use the same password (because you can’t remember all your passwords, and you don’t think you’re allowed to write them down) then it’s better to just write them down. Almost all cyber attacks take place remotely, from another computer. Having your passwords on a piece of paper beside your computer isn’t very high risk.
Your email password is probably your most important password (except for your bank account password). This is because every website allows users to reset their password via an option labeled Forgot your password? This option sends the reset link to your email. If someone gets access to your email, they can usually get access to all your other accounts. Therefore, make your email password one of the strongest and consider not writing it down or putting it in your password manager. One way to prevent the reset problem, at least for websites that support it, is by using two-factor authentication.
Two-factor authentication is one of the best ways to improve your security. For email, bank information, and everything important, you should turn it on. Two-factor authentication requires an extra level of authentication beyond just a password. Typically this means they will text you a code that you have to put in when you log in. If a hacker gets your password, but doesn’t have your cell phone, they cannot get into those accounts.