By Kari Paul, MarketWatch
EFF PACHOUD/AFP/Getty Images
Your data has never been less secure.
The number of security breaches that exposed people’s sensitive information surpassed 1,300 in 2017, according to the Identity Theft Resource Center, a San Diego-based nonprofit, up from only 200 in 2005. Major incidents like the Equifax /zigman2/quotes/208789454/composite EFX -0.43% data breach in September or Yahoo /zigman2/quotes/206008315/delayed CH:VZN -0.81% hack in 2013, which affected every one of its roughly 3 billion accounts, are only expected to increase as hackers become more sophisticated.
Meanwhile, our defenses are lacking. Some 25% of consumers have forgotten a username or password within the last six months,according to an April study from Experian . And even when we can remember them, many passwords are less than bulletproof. Some 31% of people surveyed by password manager Dashlane had used a pet’s name, 23% have used number sequences, 22% a family member’s name and 21% a birth date.
That’s what not to do when making up a password, security experts say.
So what should you do instead?
Passwords should be at least 10 characters, difficult to remember, and different for every website, said Paul Vixie, founder and chief executive officer of security company Farsight said. “The most important advice I can give consumers is to stop writing passwords down, and never use the same password twice,” he said.
Don’t think you have the mental power to do that? There’s an easy solution: The password manager.
The majority of security experts — including Vixie — recommend using such a service. Password managers use one master password for login and then create and remember a different password for each of your accounts — but users only have to remember the one master password.
What’s more, using a different password for every account puts you at lower risk if any site you use is breached, said Sandor Palfy, CTO of identity and access management at LogMeIn, which purchased password manager LastPass in 2015 and obviously has a vested interest in the service.
“Creating these long random passwords will more or less guarantee you more safety in the case of a breach of a third-party website,” he said. “If you create these unique, long, hard passwords for every single site that you use if even one is breached it will not impact your other accounts.”
Here’s how to get started:
Choose one secure password manager
When it comes to password security, Vixie said, often the bigger the password manager company, the better the security: major names include Lastpass , 1Password , Dashlane , Keeper , and Password Boss . After breaches of some password managers, consumers have been skeptical of using the services, but Vixie said it is better than any alternative. “Even a bad password manager is probably better than no password manager,” he said.
Many password managers offer a free basic service and then charge customers to use the app on multiple browsers or devices. People who still aren’t sold on using a password manager service could opt instead for a password-protected, encrypted spreadsheet on Microsoft excel, Vixie said. Writing passwords down on paper still isn’t advised.
Choose a master password
The first step to setting up a password manager is choosing a master password. This is the only password you have to remember, so it has to be easy to memorize, but long enough to be secure.
Experts suggest strings of five or six nonsensical words with some letters swapped with numbers (think ‘Ph0neC@rIceCreamMailbox5839393’) rather than memorable words or even strings of unrelated characters. Some password hacks work by repeatedly trying words in the English dictionary until one breaks through, so never make your password English words.
Always make sure there are different characters and letters interspersed or throw in some characters or words from other languages you speak, if you do.
There are a number of methods to creating long but memorable passwords, including phonetics or turning a sentence into a password — but the important thing is that you can never, ever forget the master password. This is no joke. You will be locked out forever if you do.
For those who may have trouble remembering a master password, password experts recommend writing down the password itself or a hint and keeping it in a safe place, like a wallet or safety deposit box.
Data-Security Concerns Threaten Trust in Tech Companies
Tech-company executives at The Wall Street Journal's D.Live conference in Hong Kong responded to concerns over data security in the wake of Facebook's privacy scandal.
Update your existing passwords
Once you choose and set up your master password, you can start changing your passwords on accounts you already have set up. The manager will generate new passwords for each account, but in most cases you will have to go into settings to change the passwords or visit each site with the browser extension plugged in. (Some experts recommend using only a desktop version of the app and not a browser plug in for security purposes.)
Some password managers like LastPass and 1Password allow users to sync their email accounts with the service to automatically prompt them to change passwords for which they’ve received sign-up emails in the past. Start with the most sensitive accounts first: your email and your bank account.
For each new password, managers will let users choose length and types of characters. Palfy suggests doing 20 characters for every site, if it is allowed. Some sites cut user passwords off at a shorter length. Including more characters and numbers is also beneficial for security, he said.
Turn on two-factor authentication
In addition to using a password manager, it is important to use two-factor authentication, a form of security where users can only access sites by typing in a code that they retrieve from another device, like a phone, which presumably only the user has access to.
Most password managers allow you to set up two-factor authentication on the manager itself, and you can use two-factor for many of the sites you use on a daily basis as well, including Gmail /zigman2/quotes/205453964/composite GOOG -0.44% , Instagram , Facebook, Twitter , and more. The website, Turn It On: The Ultimate Guide to Two-Factor Authentication , allows users to search any site they are logging into to see if it offers the feature.