Nearly every online platform requires you to create an account when you first visit. Having your own account makes using the site more convenient; tailored content, personalized user interfaces, and additional functions are a few reasons to sign up for a site you frequently visit. The more you utilize a service, the more intertwined they become with your personal life. Websites often ask – or require – you to input information such as your birthday or credit card numbers, your home address, and sometimes criteria like your social security number. If your account is compromised, a vast library of personal information and confidential data could be leaked. Making sure your passwords are complex and unique ensures the security of your data.

Length and Complexity

One of the most crucial things to keep in mind when creating your password is the length and complexity. A good rule of thumb is to maintain 10-15 characters, and make sure you include capitalization, numbers, and/or special characters. Do not reference popular or mainstream phrases, sayings, or other factors that are not unique to you. Do not include all of the special characters or numbers in one spot in the password; you should spread them out throughout.

If you are in need of a new password or are simply looking to strengthen your current one, try this method:

  • Come up with a sentence that is meaningful to you and easy to remember
    • STT provides customized security solutions in a timely and effective manner
  • Shorten the sentence down to the first letter of each word; you can also choose to leave certain words or abbreviations as-is
    • STTpcssiataem
  • Replace characters in the last step with close alternatives; for example, an “i” could be a “1,” or an “s” can be changed to a “$”
    • STTpc$$1at@3m
  • Add one “curveball” in the password; this is something you will memorize, but it does not necessarily need to correlate with anything or have meaning behind it
    • STTpc$qp$1at@3m

At first, this password may seem difficult to memorize or type out. After repeating it a couple of times though, it becomes second nature. The long-term security benefit added far outweighs the short-term difficulty of memorizing a complicated password. This is why it important to make the original sentence something meaningful to you; if you forget the password, you can repeat that sentence to yourself and deduce your changes to figure out your new password.

Password Managers

Most sites have certain requirements to increase the strength of your password. This can create a plethora of differing passwords, and it makes it difficult to keep track of which password belongs to which website. When you have multiple accounts for the same service – such as a personal and professional Twitter account – keeping track of your passwords can become even more difficult. You should also never use the same password for more than one website or service (don’t put all of your eggs in one basket). While it is okay to use loosely-modified versions of the same password, accounts for things such as banking or government services should have an entirely different password.

A great way to stay organized is by using a password manager like 1Password or Dashlane. These services require a master password to access the library of your other passwords. Within these services, you can maintain all of your accounts in one centralized location; this library can also be accessed from nearly anywhere. The main risk associated with a password manager is if your master password is compromised. For this reason, your master password should be the longest and most complex in your arsenal. An alternative to a password manager is an Excel spreadsheet; within it, you can track the service, your sign-in email and/or username, and the password associated with the account. However, an Excel spreadsheet is not a viable alternative if you frequently use a shared computer or if you need to access it from different devices on the go.

2FA – Two Factor Authentication

Equipping your accounts with an additional layer of security adds to the likelihood that your data will be protected. Some sites offer a service called two factor authentication. When signing into, say Facebook, on a new device, you can enable the option to receive a code on your mobile phone that is required for login – even if you have the correct email and password. This means that if someone obtains your information and attempts to sign in, they will be halted without the code that was sent to your cell phone.

If a website offers this functionality, it is imperative you use it. Most sites will not make you use a code every time you sign in on a personal device since you should already be logged in. 2FA prevents people who have obtained your login information from gaining access to anything more. It will also notify you that someone has attempted a login, so you will know that your password or email/username need to be changed.

SSO – Single Sign On

Some sites offer the ability to use your email or social media accounts to access their services; this is called SSO, or single sign on. Unless you are familiar with the service and trust your information in their hands, this feature should not be used. While it is convenient, it provides a random source with direct access to your other accounts. They are also able to see your password, and – if you use the same password for other sites too (you shouldn’t!) – they could access more than what you provided them with.

“Would you like to remember this password?”

No. Unless it is a personal device, do not allow your browsers to remember your passwords. This should be relatively self-explanatory, but the convenience of storing passwords online makes it a lucrative offer. It is also important to remember to manually sign out of certain services. Some, like Gmail, will keep you signed in by default. When you are done on a shared or public device, be sure to click the “sign out” button to ensure your account remains secure.

Phishing and Scams

Unfortunately, those who seek to compromise your information often don’t need to brute-force their way through your password to figure it out. Phishing and other scams are one of the most effective ways for these people to obtain your account information. With the amount of data collected on every user online, there are some very convincing scams floating around. Keep in mind that all personal data you have ever entered online could have been compromised at one point or another. Even some that you haven’t, but a friend, family member, or coworker did –  could be used to gain your trust and in turn cause you to hand over sensitive information. Some things to lookout for:

  • Emails, websites, advertisements, or pop-ups that seem unusual
    • Is the CEO of Google really contacting you?
  • Unexpected or unwarranted “limited warranties” or “special offers”
    • Just because a phisher knows your phone number does not mean it’s official; the real companies that need to contact you about these matters will call and identify themselves properly
  • Poorly worded emails and broken-English
    • “You have a limited time on your offering to receive a free $200 gift card”
    • Even replying to these emails alerts the scammer that the email is active and there is a real person using it
    • These emails will often look official, so it is important to check the sender by clicking on the name directly
      • It may display “Bill Gates” as the sender, but clicking on the name could reveal that it’s actually billgates@fye11.com, which is clearly not credible

Changing Your Passwords

You’ve probably heard that changing your password every so often adds security. Some services even require that you change your password semi-annually or annually. However, this may prove to be a myth. Frequently changing your passwords decreases security. Not only does it increase the likelihood of you forgetting your account information, but it also develop unintentional patterns of change that make your passwords easier to crack.

There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily

A study conducted by UNC researchers and hosted on the FTC’s government website suggests that frequently changing passwords actually increases the odds of the account being compromised. Some notable takeaways from the report include:

  • “Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases
  • UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords
  • The passwords themselves were scrambled using a mathematical function called a “hash.” In most password systems, passwords are stored in hashed form to protect them against attackers. When a user types in a password, the system runs it through the same mathematical function to produce a hashed version of the password they just typed. If it matches the hashed password that was previously stored for the user, then the user is able to log in
  • Rather than guessing every possible password in alphabetical order, cracking tools use sophisticated approaches to guess the highest probability passwords first, then hash each guess and check to see whether it matches one of the hashed passwords. The UNC researchers’ password cracking system ran for several months and eventually cracked about 60% of the passwords
  • For 7,752 accounts, the researchers were able to crack at least one password that was not the last password the user created for that account
  • The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account”

The rest of the report can be found here.