Online account security matters when it comes to avoiding identity theft, and having a strong password is your first line of defense. Strong passwords should be long (at least 16 characters), complex (containing a random mix of letters, numbers, and characters), and unique (not repeated from site to site). And if your credentials are stolen as part of a data breach — or if you suspect that someone’s trying to access your account — change your passwords immediately.
Much like the lock on a door or the code to a safe, your passwords protect the treasure trove of personal information stored within your digital accounts.
From a retail membership with your banking or credit card information stored inside to your IRS account with your address or Social Security number on file, cybercriminals can do a lot of damage with information plucked from an online account.
Which begs the question: how strong are your passwords?
How hackers steal passwords
Password thieves know just how valuable these credentials are, and they've found a multitude of ways to steal them over the years.
Keeping an eye out for these methods of attack is essential.
Data breaches: If a company you have an online account with is the victim of a data breach, your credentials could be stolen as part of the attack. That’s one reason why it’s so crucial to use unique passwords for every online account you open, instead of reusing the same password from site to site.
Brute force attacks: This happens when bad actors try to guess your password, sometimes using software that allows them to do it rapid-fire, until they break the code. The good news is that most websites now limit how many incorrect attempts can be made to log into an account within a certain period of time, helping cut down on these attacks.
Malicious software: If a device of yours is infected with certain types of malware, hackers can track what you type, including your credentials when you’re logging into an online account.
Shoulder surfing: A more traditional mode of stealing information, this entails a fraudster watching you enter a password in real life, peeking over your shoulder as you type.
Phishing: Some spoofed (or phony) websites deployed via phishing emails, texts, and social media messages can gather data you enter into them. So, when you type your username and password into the login page of a spoofed site, that data is captured by a criminal on the other end of the screen.
Social engineering: In a social engineering scheme, a fraudster may pretend to be a family member or friend — or even generate the feeling of companionship via social media or dating sites — then ask for you to share their login information for some fictitious reason.
If a hacker steals your password using any of these methods, the most immediate risk is that they could gain access to the account (or accounts) associated with that password. Then, they have the power to manipulate your account settings and lock you out and act on your behalf without your consent.
They could also view and steal the personal information stored inside, and use it to open new accounts, apply for credit cards, or commit other forms of identity theft.
If the hacker gains access to your bank or credit card account, they could withdraw or transfer money or make unauthorized purchases.
How to create a strong password
It takes only a few seconds to change a password, and it’s time well spent if it saves you the emotional, and potentially financial, strife of identity theft or financial fraud.
To ensure your passwords are as safe and secure as possible, follow these guidelines:
DO:
Make your passwords at least 16 characters long. Or preferably, the longest length allowed by the site or app.
Use a random mix of letters, numbers, and symbols. For some passwords, you may even be able to add spaces.
Incorporate both capital and lowercase letters. The more intricate the password, the more secure it is.
Use complex phrases rather than single words. Using misspelled or nonsensical words and phrases will earn you extra points.
DON’T:
Reuse passwords for multiple websites or accounts
Write down passwords or store them in your email, phone, or computer
Use words or phrases that are unique to you but predictable like your pets’ names, street names, or your birthday
Use common words or letter or number combinations like 12345 or “password”
Randomness is key to a good password
A great password solution: Take a phrase that’s easy for you to remember, and tweak it to make it harder to guess, like in the examples below.
Swap out letters with similar special characters (think @ for a, $ for s) to turn a familiar verse into a stronger password. For example, Wordsworth’s “I wandered lonely as a cloud” becomes “Iw@nderedlonely@$@cloud” — a much stronger password.
Use only the first letter of each word in a popular phrase or song. Sheryl Crow’s “All I wanna do / is have some fun / and I’ve got a feeling / I’m not the only one” becomes the more cryptic “AIWDIHSFAIGAFINTOO.”
How often should you change your passwords?
Though it used to be best practice to change your passwords every few months, the National Institute of Standards and Technology (NIST) has said in recent years that it’s more important to use strong and highly unique passwords than to change them often.
That said, immediately change your password if your credentials were included in a data breach, if someone you’re no longer in touch with has a record of it, or if you suspect that attempts have been made to hack into your account.
More ways to protect your identity online
Fortunately, strong passwords aren’t the only protection you can take against hackers and identity thieves. To further protect your digital accounts and identity security:
Turn on multi-factor authentication (MFA) for your most sensitive accounts like email, online banking, medical, and government accounts. It’s smart to require multiple personal identification numbers or codes as an added layer of security.
Pay extra attention to your email account’s security. Because multi-factor authentication messages typically go to your email, it’s extremely important to have a secure password for your primary email address.
Choose security questions that only you can answer. Avoid questions and answers that a fraudster could glean from your digital footprint, for example, your mother’s maiden name, or the city you were born in.
Keep your devices up to date. Don’t procrastinate on software updates for your smartphone and computer. These often contain new and improved safety features to help keep your electronics protected from hackers.
Use a password manager. If you use the same password over and over again to avoid having to memorize yet another slew of random characters, you’re not alone. But you’re also putting your identity at risk. Thankfully, password manager software lets you remember only one unique password: the one that will log you into that account, which securely stores all your other passwords. Do ample research to ensure you’re subscribing to a reputable, safe, and highly rated password manager, then enjoy the security — and headspace — it affords.