Do’s and Don’ts to Improve Password Best Practices
If you and your family are spending more time online working from home or attending virtual classes, it may be a good time to think about password security. Consider these Do’s and Don’ts to improve your password best practices.
Do’s:
- Do choose a password with a minimum of 8 characters - Experts advise choosing a password with at least eight characters consisting of a combination of upper and lower case letters, numbers, and symbols. It should be noted that 8 characters is a great starting point, but longer logins are typically considered more secure.
- Do consider using a passphrase made up of multiple words - It’s best to use a passphrase, such as the line of a song that other people would not associate with you. Other ideas are a quote from a movie, speech or book, a series of words that are meaningful only to you, or an abbreviation from the first letter of each word in a sentence.
- Do create a unique password for each account - Experts advise to always set a unique and strong password for each website and account. That way, if there is a data breach compromising the login credentials for one account, it won’t necessarily affect all other accounts. This is because cybercriminals can use a single stolen password to break into other accounts that use the same password through automated login attempts.
- Do change a password after a data breach - If an account username or password has been compromised during a data breach or other hack, experts advise changing the password on that account immediately. If the same password is used on any other accounts, it’s advised to change those as well, and create a new, strong password for each and every account.
- Do consider using two-factor authentication - It’s a good idea to enable two-factor authentication to protect an account, when it is available. With two-factor authentication, a thief will likely be unable to login to an account—even if they have the correct password—because they would not have access to the numeric code that the company texts or sends to the legitimate account holder.
- Do safeguard your passwords - One of the challenges of creating a unique password for each account is remembering them. If you must write down passwords, experts advise encrypting them in a way that makes them indecipherable by others. It’s recommended to safely store any written passwords, such as in a locked drawer or cabinet. Another alternative is to use a password manager. It’s advised to read reviews or seek personal recommendations before choosing a password manager or password vault.
Don’ts:
- Don’t use personal details - Experts advise against creating passwords using personal details that someone could learn from social media or through a casual conversation. These could include: your real name, username, business name, family member or pet names, family birthdays, favorite sports teams. nicknames, anniversaries, street names, or any other personal information.
- Don’t use common words - It’s recommended to steer clear of common words and phrases, like "password," "mypassword," and predictable phrases, like "thequickbrownfox." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) notes that passwords using common words may be vulnerable to dictionary attacks, which guess passwords based on known words. The CISA advises that a common dictionary word can be changed to a unique password--for example, the password "hoops" could be personalized instead to "Il!2pBb" for "[I] [l]ike [!] [2]to [p]lay [B]asket[b]all."
- Don’t use numerical sequences - It’s best to avoid numerical sequences, including ascending or descending numbers (such as 4321 or 12345), duplicate numbers (such as 1111), or recognizable keypad patterns (such as 14789 or 2580).
- Don’t reuse passwords or modify a root password - Experts say it’s best never to reuse the same password across multiple websites or accounts. It’s also advised not to modify a root password by simply adding a prefix or suffix (for example, PasswordOne, PasswordTwo).
- Don’t disclose passwords - It’s recommended to never disclose passwords to another person. If you think that someone else may know your password, change it immediately. It’s advised not to send passwords by email, as a reputable company or individual would likely not request this action.
Additional Resources
- The CISA provides additional information on Choosing and Protecting Passwords.
- The Federal Trade Commission (FTC) provides the IdentityTheft.gov website as a resource to help individuals report identity theft and create a recovery plan.