WASHINGTON—We’ve all seen the guidelines: Eight or more characters. Eight or more characters, one of which must be a number. Eight characters exactly, containing at least one capital letter, one or more number and one or more special character (like a dollar sign or exclamation point). The specs are growing more complicated as security concerns increase.
But few people can remember dozens of unique passwords without writing them down. Most will admit to having a cheat sheet somewhere—perhaps hidden in a notebook in their desk, tucked away on a Post-it under their keyboard, or stored somewhere as a virtual note on their cell phone.
The truth remains that even though users may believe their passwords are hidden, they’re not as safe as they could be. And that means they’re vulnerable, leaving Americans and their personal information at risk.
The National Cyber Security Alliance aims to teach us safe Internet use and how to maintain a secure digital presence in our personal and professional lives. NCSA runs a series of campaigns to generate awareness about the importance of building up online defenses, to protect identities as well as bank accounts.
Online theft and hacking schemes are growing in sophistication, and users don’t know how to adequately defend themselves, according to Kristin Judge, program lead for NCSA’s Two Steps Ahead campaign. “Everywhere I go I realize more and more people are looking for help because they want to know how to be safer.”
Remembering three or four passwords was the norm up until a few years ago, “but now people have dozens, and it’s impossible to remember that many,” Judge said. And yet we tend to rely on keeping a “favorite” password across several accounts, which Judge said is downright dangerous. The only solution is to modernize your defenses.
And there’s a great new way to protect yourself, Judge said. It’s called two factor authentication, and it’s popping up all over the place—on Facebook, Twitter, PayPal, LinkedIn and even Gmail—although most Americans haven’t noticed.
That’s because it’s an optional function. “You have to opt-in and sync with your phone, but most users don’t seem to know about it,” Judge said.
Two factor authentication is simple. Every time a user logs in with his password, he must provide a six-digit code that has been automatically sent to his phone. That code is good for up to five minutes, which Judge said helps her feel more secure: “I feel really comfortable knowing that no one else can get into my account without that six digit code.”
As part of the Two Steps Ahead campaign, Judge is working to get the word out on two factor authentication, its ease of use and the added security it provides. According to Judge, “it really is one of the best ways we have to keep our accounts safe right now.”
But there is another method, which Judge said she recently started using herself: an online password manager.
“They’re not necessarily intuitive so it’s going to take some commitment on the user’s part,” Judge said, admitting that it took her a few hours to set one up for her family. But online password managers offer unparalleled protection by way of double encryption, she explained.
Password managers like LastPass and 1Password are subscription-based and cost anywhere from $10 to $50, meaning there’s some financial commitment as well. But they’re becoming more common, Judge said, because they make password memorization and cheat sheets obsolete. The user creates a central account with one main password, needed to unlock a password vault. Once logged in, the user gains access to all of his password-protected websites because he has saved each site’s unique password during the initial set-up. This is a “once-and-done” step, Judge said: “You just remember the one password, get into the vault, and you’re in!”
If online password managers seem intimidating, Judge has a quick tip that even the least tech savvy user can use to boost their security: “Just make some time, and take the passwords you have and make them stronger,” Judge said. “Consider adding an extra letter or two,” to each account. Maybe add a “g” at the end of a Gmail password, or a “p” at the end of a PayPal password. “I still have my [core] phrase which I haven’t written down, but I add those extra letters to make sure each password is just a little bit different,” Judge said.
And if you need to write them down you should, she said. But never store passwords near a computer, or somewhere where prying eyes can find them.