What’s the password?
Tips for setting up protections that are easier to remember
Security experts have warned for years that to protect our online accounts, we need to change passwords frequently and make sure those passwords are filled with letters, numbers and random characters. But that advice may have done more harm than good because such passwords are nearly impossible to remember.
Now, new research shows that not only are complex passwords user-unfriendly, but they’re also not hacker-proof. That’s partly because once people finally commit passwords to memory, they often reuse them for multiple accounts.
A better hacker deterrent: passphrases, which are long, easy-to-remember strings of words.
Start by picking a series of unrelated common words or a phrase that may be obscure but that you can remember. Length is more important than randomness. Put capital letters, numbers or special characters within the passphrase, not just at the beginning or the end, says Lorrie Cranor, a computer science professor at Carnegie Mellon University. Avoid repetitive or sequential characters, such as 777 or XYZ, or even using letters that form a pattern on the keyboard, such as “qwerty.”
Still, even the best passwords are easily compromised if you write them down, which is what 73 percent of people do, according to a 2017 survey by the Pew Research Center.
One solution is to sign up with a password manager that will store all of them behind one master login — the only password you’ll need to remember. A password manager also can help you create strong, unique passwords for each of your accounts.
For instance, to have password manager LastPass (free) generate a password for you, log into LastPass and then visit the site that you want to add to your LastPass account. Ask to reset your password, then use the LastPass browser extension to generate a new password. Change your password on the site and log in to that account using the newly generated password.
A pop-up will ask if you’d like to add the new password to LastPass. After that, LastPass will fill in the new password automatically. The service’s premium option ($24 a year) has extra features, while the family plan ($48 a year) allows up to six people to use the service and share log-in information with one another for shared accounts.
To add another layer to your security network, enable two-factor or multistep authentication on any account that allows you to. You’ll enter your username and password as usual, but the account will then confirm your identity by asking you to enter a code that has been sent to your smartphone or email address.
The extra step deters hackers, and you’ll know if an intruder attempts to log in with your password.