The Washington PostDemocracy Dies in Darkness

The ultimate guide to secure passwords

Here are Help Desk’s tips on how a few changes can solve most of your issues

Weak passwords lead to stolen identities, money and accounts. Yet the most common password on earth is “123456,” according to data from CyberNews. (iStock/Washington Post illustration)
Placeholder while article actions load

Setting hard-to-guess passwords and then remembering them later isn’t easy, and even the best of us mess up.

SolarWinds, which builds IT management software for customers including the U.S. Department of Defense, blamed an intern after a critical company password was leaked online. The password was “solarwinds123.”

Good password habits are like any good habit; easier said than done. Unfortunately, the stakes are getting higher as security disasters get bigger and more frequent. Giant breaches at T-Mobile, web host GoDaddy, trivia game DailyQuiz.me and gas provider Colonial Pipeline happened just this year. More apps, more accounts and more passwords create more opportunities for theft. Meanwhile, human nature stays the same: “123456” is the most-used password in the world.

“You have to laugh to keep from crying,” said JD Sherman, CEO of password manager company Dashlane.

In that spirit, Dashlane released a roundup of 2021’s worst password catastrophes. Facebook made the list for a breach that exposed the phone numbers, birth dates, email addresses and locations of 533 million people. So did Netflix, LinkedIn and bitcoin for their association with an online data dump that included more than 3 billion email-password combinations, which could represent 70 percent of global Internet users.

Once your password is part of a breach, hackers try it on different sites and services to try to unlock more accounts in what’s called a “stuffing” attack. Reusing passwords or going with daredevil options like “solarwinds123” make you — and often your workplace — more vulnerable. But that doesn’t mean all this password drama is deserved.

Don’t be that employee: How to avoid ransomware attacks at work

“We have too many passwords today as a consumer,” said Josh Yavor, chief information security officer at cybersecurity company Tessian. “If you think about all the different things you have to log in to, the number is just way too high for anyone to be able to keep track of all the different passwords and do the right thing every single time.”

Data from Dashlane shows the average person online has more than 200 accounts that require passwords.

The password fatigue is real, but don’t let it stop you from making some small changes to protect your accounts, your wallet and your identity. Here are six easy things to do today:

Stop reusing passwords

During his days as a penetration tester helping companies find and eliminate paths hackers could use to break in, Yavor once gained access to 20,000 corporate accounts in less than an hour simply by plugging in the default password the accounts came with, he said.

If you take only one step to better protect your accounts, make it this: Retire that trusty old “qwerty” password and reset any defaults.

Reusing passwords across accounts makes all of them less safe. For instance, if you use the same password for Netflix and Chase Mobile, a data breach at Netflix could put your bank account at risk.

Make your passwords not guessable

Passwords shouldn’t draw on details from your life. You may think that no one could guess your child or pet’s name when all it takes is a quick visit to Instagram or LinkedIn to figure it out.

When coming up with on-the-fly passwords, people’s minds tend to gravitate toward the same themes. Tessian found that 21 percent of people use predictable cues like their favorite football teams or birthdays. A survey by Microsoft indicated 15 percent of people use pets’ names. That’s why it’s better to avoid passwords with any real significance. Make them long (think longer than 12 characters) with plenty of numbers, letters and special symbols. Ninety-six percent of password-related cyberattacks involve passwords with fewer than 10 characters, and 76 percent involve passwords with fewer than six, according to Microsoft.

“But why would anyone care to spend time guessing my password?” you might be asking. Even if you think you’re not high profile enough to be the target of a cyberattack, don’t let that little-old-me syndrome keep you cycling through insecure passwords. Hackers spend time trolling for easy targets, and some make use of automated password-guessing in what Yavor calls a “spray and pray” approach.

Coming up with passwords is like leaving your car in a mall parking lot, Sherman noted. Most thieves are just hunting for unlocked doors and rolled-down windows.


Passwords to avoid:

  • 123456. Easy to remember means easy to guess.
  • Password. This goes without saying.
  • Password123. Nice try, but no.
  • Qwerty. Try a different combo of letters, then add some numbers and symbols.
  • Pets’ names. Try combining pets’ names into a unique new word with some special symbols.
  • Kids’ names. Same deal as pets. (But less furry, usually)
  • Favorite teams. This is a common one, and there are only so many professional sports teams.
  • Birthdays. Try a date with no significance, then add some symbols and letters.

Check if any of your passwords have been exposed

An exposed password may provide the kick in the pants you need to clean up your password act.

Apple notifies you if one of your saved passwords has appeared in a breach. On an iPhone, go to Settings -> Passwords -> Security Recommendations and change any passwords that are putting you at risk. For passwords you’ve allowed Google to save, go to passwords.google.com -> Go to password checkup -> check passwords. (Note: It’s easy to leave yourself logged into Google on someone else’s computer, so I’d recommend a different method of storing passwords.)

Password managers — applications that generate, save and automatically fill in unique, hard-to-guess passwords — can alert you to compromised passwords, too. And speaking of password managers …

Here’s what to do if you’ve been hacked

Download a password manager

A password manager will solve a bunch of your password security problems in one swoop.

Just add the manager app — we’ve recommended Dashlane, 1 Password and LastPass — to your mobile device, or sign up on its website. The tool will start saving the passwords you use to log in, generating hard-to-guess passwords when you sign up for new sites and automatically inserting your passwords into log-in forms. You can even have it save your name, address and credit card info for faster sign-ups and checkouts.

As far as setup, you’ve got a choice: Either turn on your favorite album and spend a few hours inputting the passwords to the sites you visit most often, or just start going about your business and auto-save passwords as you use them.

In a saner world, everyone would have just three passwords to keep track of, Tessian’s Yavor said: your phone, email and password manager. Memorize those passwords to keep them safe, and choose a manager with zero-trust architecture, or encryption technology that prevents the company from knowing the very information it stores.

If you must store passwords somewhere else, know the risks

We’re all familiar with the sacred password notebook sitting next to the desktop computer. There’s also the password safe, the password Google doc, the password saved email draft and my mom’s favorite: the password list in the smartphone notes app.

If you opt to store your passwords yourself rather than using a manager, there’s no real winning, Yavor said. You can avoid digital theft by writing passwords in an analog notebook or slip of paper, but then that list is liable to be lost, stolen or — in his case — eaten by golden retrievers.

Of course, you can keep your passwords safe from canines and other acts of God by storing them somewhere digital. But then you’re opening yourself up to potential cyber theft.

Whatever you choose, know what risks you’re taking, and give a password manager some serious thought.

Set up two-factor authentication

Two-factor authentication means a person has to authenticate their identity in two different ways before gaining access to an account. By enabling two-factor, you prevent hackers from breaking in if they’ve only gotten their hands on your username and password.

Traditionally, two-factor has involved a text message sent to your phone with a numeric code to input. If you know the code, that means you have your phone, so the app or site can trust that you’re really you.

But that method leaves you vulnerable if somebody gets their hands on your phone. If you want some password hygiene extra credit, take a couple seconds to download an authenticator app. These connect to your accounts and ping you when somebody tries to log on. Then, the app gives you some second piece of info that authenticates your identity and lets you sign in. Google, Microsoft, Twilio and ID.me all make authenticator apps you can access from different mobile devices. Just type “authenticator” into an app store and download one of these options.

Loading...