Five Password Management Best Practices to Keep You SafeDownload Case Study
Love them or hate them, passwords are often the only thing standing between attackers and your sensitive personal and financial information. Despite their importance, less than 50% of people feel very confident that their passwords are secure from compromise, according to a 2021 Security.org survey of password habits.
There’s probably a good reason many are worried about their passwords. Last year, the number of data compromises was at an all-time high — which was 23% higher than the previous record set in 2017 — and over 1.7 billion account credentials (emails and passwords) were leaked on the dark web. That means the chances are high that at least one of your passwords will be, or have been, exposed.
While you can’t prevent corporations that have your information from getting breached, you can take steps to protect yourself. We’ve put together five tips to protect your passwords. If you keep in mind these best practices, you’ll have a much better chance of keeping your passwords — and your data — secure.
Best practice #1: Use strong, unique passwords
A strong, unique password is the first line of defense against any attacker who wants your personal information.
It’s human nature to want to reuse passwords for convenience. Afterall, we are juggling dozens of online accounts. But when you use the same password across multiple accounts — and 68% of people say they do just that — it makes all the other accounts you used that same password for more vulnerable. It takes just one breach for an attacker to know the passwords to all your other accounts.
Equally important to using unique passwords is to set something that is strong — it should have a lot of variables, such as special characters, both upper and lower case letters, and numbers. This makes it very difficult for attackers to guess or memorize your passwords.
Late last year, we shared a list of the 20 most common passwords people use. Needless to say, if your password matches any of these, it’s time for a change:
Best practice #2: Use multi-factor authentication
To add an extra layer of protection to your passwords, you should set up multi-factor authentication (MFA) wherever possible. MFA is a process by which your account asks for an additional channel to confirm your identity before giving you access. This means that even if your password becomes compromised, attackers don’t automatically gain access to your account.
While MFA is often done by sending an authentication code to a text or an email, these could still be compromised. A threat actor could gain access to your email account or steal your phone number through a process called “SIM swapping,” where they get your telecommunications company to port your phone number over to another device. This is why we highly recommend an authenticator like Google Authenticator, where someone would need physical access to your device to steal your MFA token.
It’s also critical to stay on your toes and be on the lookout for authentication messages that were triggered by a phishing attack. A recent breach of the cloud communications company Twilio pushed out false MFA notifications to users of the encrypted messaging app Signal, which would have enabled attackers to impersonate the victims.
So always be suspicious of the MFA verification messages you receive, especially when you aren’t trying to log into your account. Other red flags include messages that are triggered from a different location, or sent at an odd time.
Best practice #3: Be careful what you post online
While it may not seem related, the information you post on social media could make your passwords more vulnerable.
A Lookout survey found that 26% of people have public Facebook accounts, and they frequently contain information that makes it easy for attackers to guess your passwords, like your birthday, the names of your family members, and your hometown.
To keep your accounts safe, inventory the information you’ve publicly posted online and adjust your privacy settings.
Best practice #4: Use a password manager
When it comes to password storage, 38% of people rely on their memory. Since people have an average of more than 200 logins, it’s no wonder they tend to reuse passwords.
Instead of trusting your memory, consider using a password manager like SaferPass by Lookout instead. A password manager will create unique passwords for each of your accounts, store them all in one place, and autofill them when you need to log in.
These algorithmically generated passwords are stronger than human-generated ones. And because each password is unique, if one account does end up getting breached, all the rest of your accounts will remain uncompromised.
Best practice #5: Enable breach alerts and personal identity monitoring
The only thing worse than having one of your accounts breached is having one of your accounts breached without you knowing. The longer you're unaware of an account compromise, the more damage can be done.
To immediately find out when your information has been leaked as part of a data breach, use a breach alerts and personal identity monitoring solution such as the one from Lookout. And if you do find out that your information has been part of a data breach, change your passwords immediately. Use our email scanning tool to find out if your email has been compromised and take steps to protect your personal information.
You may have very little control over what happens on the internet, but by using these five best practices, you can create a strong first line of defense against attackers attempting to steal your personal information.