Avoid this $16 billion headache in 2018

  • 15.4 million people were victims of identity theft in 2016.
  • Consumers lost $16 billion due to fraudsters.
Bill Hinton | Moment | Getty Images

As you wrap up your year-end finances, don't forget to take a few minutes to change all of your passwords.

The holiday season is a bonanza for fraudsters who are plucking customers' personal and financial data as they shop online. Last year, 15.4 million people were victims of identity theft, resulting in $16 billion of losses, according to Javelin Strategy & Research.

Scammers fatten their wallets at your expense, using your credit card or sign-in credentials at a merchant's website to snap up goods and then sell them on the secondary market. Thieves also often use credentials compromised in one breach to try and crack other accounts.

You can avoid this by making timely updates of all of your account passwords, including the credentials you use to access your investment and banking accounts.

"Normally, the best practice would be to update your passwords every four months," said Michelle Jacko, CEO of Core Compliance & Legal Services, a compliance consulting firm for broker-dealers and other financial services companies.

"If that's too frequent, then once a year is fantastic," she said.

Here are some suggestions for creating an effective password and remembering it.

10: The magic number

It takes just 15 minutes for a code-breaking program to figure out an eight-character password.

Consumers should aim to have 10 to 12 characters in their sign-in credentials, said Jacko.

"We find that it's not the complexity of the password, but the length that's driving the protection right now," she said. "Ten is the magic number."

Complexity

Your password should be easy for you to remember, but hard for scammers to figure out. Your child's name, for instance, is probably too simplistic a password.

Instead, use a combination of numbers, capital letters and symbols to create your password.

If you already have sign-in credentials that are sufficiently complex, consider changing the last three digits when you update your password, Jacko said.

Use multifactor authentication, which requires you to use your mobile phone, plus your username and password to sign into your accounts.

Manage credentials

The worst place to store your credentials might be on a sticky note on your computer. Instead, use a password manager, such as Dashlane or Sticky Password, to store your sign-in data.

Be sure to address your sign-in credentials and password management systems when you draw up your estate plans and put in place a power of attorney. Your sign-in data need to be kept safe — especially if you end up incapacitated.

"In an ideal world, you can keep this information in a safe, but in order for heirs to get access to that safe, they'll need to go to your estate planning attorney," Jacko said.

More from Personal Finance

How to protect yourself after the Equifax breach
Credit monitoring services may not be worth the cost
Your next worry after the Equifax breach: Fake tax returns