Often, the only thing standing between you and a compromised account is your password. And most people are pretty terrible at making up passwords. Most of fall into the same habits when creating passwords, making them really easy to guess.
If any of these sound familiar, it’s time to change your ways.
Even if your password isn’t on a list of the top passwords used, many people follow the same trends in passwords. The most common elements include:
If you’re using letters and numbers, you’re probably just combining a couple of the tactics above. It wouldn’t be surprising for someone who graduated from Clemson University in 2008 to have a password like “tigers2008”.
Even when you’re required to use a combination of uppercase and lowercase letters, numbers, and special characters, you’re probably following a pretty common format. You likely capitalize the first letter of a word, then put numbers, then a special character.
Our Clemson graduate above? If they need a more complex password, they would probably do something like “Tigers2008!”
In the list of best practices for creating passwords, having a different password for every account is near the top. The thing is—it’s hard to remember a bunch of different passwords. Even if you do have a different password for every account, you probably use some sort of pattern, so you can remember them. Once a cybercriminal figures out the pattern, they know all your passwords.
Let’s look at our Clemson friend again. Let’s say they want to use a different password for every site. They add the first two letters of the site name to the end of their passwords. So, for Linkedin they use “Tigers2008!LN” for their password. If they haven’t changed it since the massive LinkedIn breach from a few years ago, it wouldn’t be hard for a cybercriminal to figure out their password for other sites, even though it’s not exactly the same.
Another commonly touted password best practice is to change your passwords frequently. A lot of businesses force this on their employees with password policies. But, like having a different password for every account, it’s hard to remember a password that changes every 90 days.
So, most people only change one digit when they have to change their password frequently – sometimes know as password walking. It’s just easier to remember. It also makes it pretty easy to figure out what your current password is, if a cybercriminal knows an old password of yours. The new one is probably pretty similar.
Back to our Clemson alumnus. If their current password at work is “Tigers2018!1”, their next password will probably be “Tigers2018!2”.
This biggest hurdle to creating strong passwords is the ability (or lack thereof) to remember them all. Password managers solve that for you by storing your passwords. You just have to remember the one password to get into it. Most password managers can also generate strong passwords for you, so you won’t fall into one of the habits above.
If a cybercriminal does get your password, whether it’s because your passwords are easy to guess or some other method, multi-factor authentication (sometimes called two-factor or dual-factor authentication) can prevent them from getting into your account. It requires a second form of authentication, like a one-time passcode. Implement this (or two-step verification) on any account possible. It can be annoying, but it can save you from a lot of headaches.
Even if you don’t fall into these habits, using a password manager and multi-factor authentication have become the new standard for password best practices, and you’d benefit from using them.