If the scary Internet security bug Heartbleed has taught us anything, it’s that none of our passwords are ever truly safe.
Discovered only a few weeks ago, Heartbleed is the code name for a gaping hole in a commonly used security protocol that’s supposed to protect passwords, credit card numbers, and other sensitive data submitted through a web page.
Some of the biggest web sites on the planet—think Google, Yahoo, Pinterest, and more—may have been vulnerable to Heartbleed, and most have raced to beef up their security.
Unfortunately, it’s possible that hackers have already scooped up a generous portion of exposed passwords. (And before you scramble to your PC, security experts warn that you shouldn’t bother changing your password for a given site until you’re sure they’ve patched the security hole.)
So, what can you do to keep bad guys from stealing your passwords with help from the next Heartbleed? (And yes, there will eventually be another bug or virus that takes Heartbleed’s place in the headlines.)
Well, like wearing a seat belt in a car, there are plenty of measures you can take to greatly reduce—but (as Heartbleed proves) not eliminate—the odds of your Internet accounts getting hijacked by hackers.
Nope, there’s no such thing as bulletproof Internet security—but there’s no guarantee a seat belt will save your life in a car crash, and you still buckle up, right? (Right??)
Here’s five things you should do to keep your passwords (relatively) safe, starting with…
1. Get a password manager
Sure, it’s hard to give up your old password habits and start fresh with new ones, and it’s even harder to entrust your precious passwords to an unfamiliar program.
Believe me, I know. I dragged my heels for years before finally breaking down and buying my own password manager, and I had all kinds of excuses for doing so: hackers might break into the program and steal my passwords, I didn’t have time to figure out how to use it, my passwords were probably safe anyway…etcetera, etcetera.
Well, it’s true that no password manager can possibly keep all your passwords completely safe, and yes, there’s usually a learning curve. And no one hates change more than me.
Painful though it was, though, I finally did make the plunge with a password manager, and I’m glad I did. No more scraps of paper with passwords scribbled on them, no more forgotten passwords, and no more “weak” passwords like “Patterson123.”
Indeed, once you pick a password manager of your own, you’ll find the following steps a whole lot easier. Take, for example…
2. Use lengthy, “strong” passwords
A password like “Patterson123” or the old, not-so-reliable “password” is easy to remember, but guessing them is a piece of cake for even the most casual hackers.
Indeed, enterprising password thieves have collected gigantic databases of stolen passwords, culling through them to figure out the most popular combinations of words, letters and numbers.
Bottom line: If there’s an identifiable word or name in your favorite password, it’s “weak.” Period. Your birthday backwards won’t cut it, either, nor will the name the street you grew up on
Instead, make sure your passwords are “strong”—meaning they contain (ideally) a meaningless garble of letters, numbers and symbols.
In its guide to creating strong passwords, Microsoft recommends at least eight characters, no words or real names, plenty of symbols, a combination of lower- and upper-case letters, plus a sprinkling of numbers for good measure.
Nope, strong passwords aren’t easy to remember, but they’re tough (although not impossible) to crack.
Besides, your password manager can remember—and even create—those lengthy, indecipherable passwords for you.
3. Never use the same password twice
It is, of course, much easier to remember one password for all your accounts than it is to commit dozens of passwords to memory—and yes, for years, I was one of those one-password-for-everythng people.
As you can imagine, though, using the same password for all your Internet accounts makes life incredibly easy for any hacker who manages to steal your one big password.
That’s why you need to use different passwords for each of your online accounts.
I know, I know—even more to remember, right? Again, here’s where a password manager (which, typically, will store all your passwords in a searchable database) can come to the rescue.
4. Change your passwords regularly
Like bread in a cupboard or the clothes in your wardrobe, passwords get stale over time.
No, you don’t have to change your passwords as often as the Kardashians shed wardrobes, but you should consider changing your passwords at least every six months or so—all the better to keep hackers guessing.
The best password managers can help by flagging passwords that are ripe for changing, as well as storing your old passwords in case you ever need them again.
5. Use “two-step” authentication whenever possible
So, you’ve diligently exchanged your weak passwords for strong ones, you’ve created different passwords for each of your accounts, and you’re changing your passwords every few months or so.
Does that mean your passwords are completely safe from hackers? Sadly, no.
That’s why you should consider an extra level of security for your most precious online accounts, particularly when it comes to your primary email account—you know, the one where all those “Reset your password” messages go.
Some of the biggest online services around—think Facebook, Google, Apple, and the like—have implemented something called “two-step” authentication: a method of securing a password with a secondary numeric code.
Switch on two-step authentication on Google, for example, and Google will regularly (but not always) prompt you for a six-digit code after you’ve entered your password.
This code changes every 60 seconds, and it’s sent to your phone via text message or a special “authenticator” app.
Sound like a pain? Well, it is, and I still find myself groaning whenever I need to fetch another six-number authentication number on my iPhone.
But what’s a pain for me is even worse for a hacker, who now has an extra hoop to jump through even once s/he’s managed to snare one of my strong passwords.
Got more Internet security questions, or password tips you’d like to share? Post ’em below!