What If Everything You Think You Know About Passwords Is Wrong?

Credit Image to:

In a recent Experian survey, 25% of respondents admitted to sharing their credit card number or PIN with friends and family, and 20% said would allow a friend or family member to use their personal information to help get a job or credit. The results are pretty shocking given the relentless focus on the importance of protecting your passwords amid rising concerns about hacking.

You definitely need to protect your password—don't share them with anyone, even close family members. Your passwords are a big part of keeping your personal information, financial details and various account particulars out of the wrong hands. A 2016 Verizon Data Breach Report found that 63% of data breaches involved leveraging weak, stolen or default passwords and when it comes to phishing attacks, 91% of the time cyber criminals were looking to get user credentials.

Hopefully, those sobering stats have your attention because it turns out just about everything else you've been told about passwords is wrong.

Bill Burr, former manager of the National Institute of Standards and Technology, recently told the Wall Street Journal that he regrets the advice he gave in 2003 when he wrote the password guidelines that many Americans came to know and follow to a tee... or a "T-ampersand-zero-exclamation point."

That's right, Burr now says the recommendation to use a combination of mismatched uppercase letters, lowercase letters, numbers, and symbols really don't do anything to protect our passwords and keep criminals from hacking them. Maybe that explains why identity theft is one the rise—impacting 15.4 million people in 2016, up 16% from the previous year—even though many of us are substituting threes for "Es" and dollar-signs for "Ss."

Listen below to hear more:

So what's the new advice to protect your most personal and coveted information?

The guidelines laid out by NIST are written for the government and leveraged by IT professionals at big companies. But these are lessons we can all take from them with our everyday online habits:

  • Use four or five random words strung together with spaces between them. According to the recent data and research, your best chance of keeping your password from getting cracked is to use a string of a few unrelated words separated by spaces. So a crazy jumble of words may just be what helps keep your information more safe. Of course, as a user you're limited to what an entity or financial institution requires you to do and some may still make you use special characters.
  • Make the passwords easy to remember. If you are able to remember your passwords, you won't have to change them all the time or leave them written on post-it notes or notepads, which can get lost or end up in the wrong hands. Top infosec professionals also recommend that you don't use the same passwords for multiple websites. So even those of you with great memories likely can't keep all the websites and logins straight in their head. So what are some options? You can look into password management tools that help you with storing passwords, such as LastPass and 1Password.
  • Don't change your passwords unless you suspect your information has been breached. Turns out that changing passwords frequently can actually just give cyber criminals a glimpse at potential patterns in your passwords, allowing them to crack them more quickly. No need to change them every so often anymore just because.
  • Use multi-factor authentication (MFA) when you can. Also commonly known as two-factor authentication, this is available on many larger sites and will require an extra step (such as identifying additional information or getting a text with a code to enter). It's worth using if a website offers it, since it means someone needs more than just your password to get into your account—especially when accessing your account on a new device.

Other Ways to Protect Your Account Information

What else can you do? Be vigilant about securing your information online and offline. According to the Experian survey, 50% of people don't worry about identity theft because they think their poor credit makes them unappealing targets. But everyone is important—at least your identity and personal information is—and cyber criminals are eager to use it.

  • Don't ignore online privacy policies - sometimes certain information is shared with third parties, but if that's the case you can usually opt out of that if you prefer. Check account settings and profiles to see what you're agreeing to and if you receive a notification about a change in terms, review the details.
  • Read alerts about data breaches - if you get information that a company you do business with has been breached, review the details in the letter and communication from them and take actions to protect yourself after a data breach.
  • Keep an eye on account statements and your credit report to help spot potential early warning signs of identity theft. You can also check out products like Experian IdentityWorks to help you with monitoring and protecting your identity. That way if you suspect your identity is stolen or you're the victim of a data breach, you can keep an eye on your credit report and get notifications alerting you of new accounts, inquiries or increased account balances.

Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.

This article was originally published on August 24, 2017, and has been updated.

Sign up for helpful tips, special offers and more!
You're signed up!
Our system is undergoing maintenance and will be available again soon.