Recently, the top 25 most common passwords were published and the list was full of predictable choices such as 'password', '1234' and 'qwerty'. And to show the signs of the times, 'starwars' and 'solo' also made it to the top.
I read the list and laughed. Seriously who uses 'password' for a password? Then I realized… I have. And I am betting you have too. The average person online now has around 100 digital accounts. Before you think that is a ludicrous number, consider all the accounts you use:
I have no less than 80 passwords written down which don’t include my primary accounts or those tertiary ones.
And if you are using ‘password’ or anything that predictable, you may as well not have a password at all.
Hackers are getting much better at writing programs to break passwords, especially common words. They use programs called ‘dictionary attacks’ where they take your email account (which could have come from any number of places) and then they try it with millions of ordinary words in the password field. The scary part, it takes seconds. It is that easy.
Your primary accounts should be considered sacred because they lead to your most valuable assets online: your personal data and your finances. If nothing else, these accounts should have kick-ass passwords on them and they should all be different (in the event that one account gets hacked, you do not want people gaining access to any others).
I will admit to reusing passwords on my secondary accounts, like access to Netflix or on my library card. Is this a risk? Sure, there is information associated to these accounts like my name and address, but as far as my viewing history or book holds go, I am not so worried.
As for the tertiary accounts, they don’t seem to matter: race results for your kids’ event or signing up for free dinner on your birthday at a restaurant. Problem here is that those accounts also contain personal info and you really should be more protective than just giving it away. The combination of your name and birth date from one of these places could be enough for a hacker to set up an account somewhere else in your name, or your child’s. Tips to avoid this below.
As you could have guessed, longer and more complicated is always better. The ideal password is 8 characters long, isn’t in the dictionary and includes both numbers and symbols. Yikes.
Here are some tips to create strong passwords:
Many websites are now offering Single Sign On. This is the ability to use your Facebook, Google, or Twitter ID to log in. If this is a trusted site, this could be a good option; HOWEVER (big caveat here), when you do this you allow the new website access to your personal information from your social network. For a full list of what info you give away, you can read more in my article on Signing in Using Social Media Logins.
The other option is to fake it. I literally just created a fake account to get access to the MS Readathon page for my daughter. All I wanted was the end date of the event at her school but I was not interested in creating a real account to do it. I made up a name and an email. If you want to create an account with a fake email but still need it to be legit, you can always use 10 minute mail. This creates a temporary email address that lasts, well, 10 minutes. Long enough to get in, verify the account, do what you need, and leave no trace behind.
I get this question all of the time. There is no right answer, so do what works for you. You should have your primary passwords memorized, especially if you use them daily.