Money

'These 9 biggest password mistakes will get you in trouble,' warns fraud expert and ex-con artist

Share
'We need to eliminate passwords,' warns fraud expert and ex-con artist
VIDEO1:5801:58
'We need to eliminate passwords,' warns fraud expert and ex-con artist

For more than 45 years, I've worked with, advised and consulted with the FBI and hundreds of financial institutions, corporations and government agencies around the world to help them in their fight against fraud.

But my expertise began more than 50 years ago, in an unusual way: I was one of the world's most famous con artists. While I'm ashamed of what I did as a young man — cheating, stealing and, along the way, deceiving and hurting people — I was grateful for the opportunity to turn myself around.

My story, which is depicted in my 1980 memoir, "Catch Me If You Can," gave me a wider audience to talk about identity theft protection — and one of the most important topics in fraud protection, which I discuss in my new book, "Scam Me If You Can," is about passwords.

We need to get rid of passwords

We think our passwords keep us safe, but that's just a fantasy. They don't protect us from hackers or maintain the privacy of our online information.

Look around at the technology that surrounds you today — iPhones, online banking and shopping, Google, smart TVs — none of them were invented in the 1960s. Yet usernames and passwords, the most prevalent security mechanisms still used, were invented in 1963, more than half a century ago.

The inventor of the computer password, Fernando Corbató (who passed away this year at 93), said himself that "passwords have become kind of a nightmare with the World Wide Web."

In 2016, Michael Chertoff, who served as secretary of Homeland Security from 2005 to 2009, echoed Corbató's views. "A closer examination of major breaches reveals a common theme: in every 'major headline' breach, the attack vector has been the common password," he told CNBC.

"The reason is simple," Chertoff continued. "The password is by far the weakest link in cybersecurity. By making their replacement a national priority, the government can really rally both industry and agencies to adopt stronger solutions that make password-driven breaches a thing of the past."

Biggest password mistakes people make today

Chertoff is right, and I agree that the next step is to rid ourselves of passwords. In the meantime, there are ways to prevent your account information from getting stolen.

Below are some of the biggest password mistakes people make, and you should avoid them at all costs:

1. Changing them too often. Frequent password changes are counterproductive, as people tend to swap out one password for another frequently used one. Changed passwords may also be forgotten, and they can be stolen just as easily as passwords that are changed infrequently.

2. Making them too complex. Keep your passwords simple, but be smart about it. Studies that look at arbitrary password complexity requirements (e.g., ones that call for symbols and uppercase and lowercase letters) repeatedly find that these kinds of restrictions result in less secure passwords.

3. Not screening them. The National Institute of Standards and Technology highly recommends comparing your password against lists of commonly used or known compromised ones. Enzoic.com and Passwordrandom.com are two examples of websites that offer these password screening tools.

4. Recycling the same ones. Reusing the same password across multiple websites is especially dangerous for email, banking and social media accounts. Even if you haven't used them in years, once they get stolen, they can be used to access many different websites.

5. Being too familiar. Don't use the following in passwords or answers to website security questions: loved ones' names (pets included), maiden names, hometowns, birthdays, wedding dates or anything else that can be gleaned with some online research.

6. "Remembering" them on a device. Never use the "save" or "remember me" options on a public computer. The next user could easily access your account.

7. Using common, easily hacked characters. Stay away from these, especially: "123456," "qwerty" or "password." Many hackers set on stealing your information still use the "guessing" strategy as a point of entry. Instead, think of something complex, yet memorable and personal to you. For example, "70YrS@n%styll%LUVN^life!" could mean "70 years and still loving life!"

8. Not password-protecting your mobile device. Believe it or not, 52% of people are guilty of this. When setting your device password, it's smart to avoid common choices like "1234," 0000," "2580" (a top-to-bottom sequence) or "5683" (which spells "love").

9. Storing a password list on your computer. A password cheat sheet is fine, as long as it's not stored on your computer or smartphone; if you do that and your device is infected with malware, you're doomed. A pen-and-paper reminder, kept in a safe place, is better. Ideally, it will consist of hints rather than actual passwords.

The cost of doing nothing

Over the years, I've learned that change — even good change — takes time. But it also takes willpower.

I dread thinking about what will happen if the industry doesn't heed the call to move away from passwords. We must act now. When cyber-criminals breach a database with usernames and passwords, they are after something: the identity of the user.

With the identity and the credentials to accounts, they get something that is "fenceable" on the dark web. They can convert these identities to cash or cryptocurrencies like bitcoin. Once an identity has been sold, the money is used mostly for illicit purposes. These funds are used in additional crimes — far worse than stealing money.

Let's not allow the bad guys to win. As the great parliamentarian Edmund Burke is believed to have said, "The only thing necessary for the triumph of evil is for good men to do nothing."

Frank Abagnale is a former professional impostor and the author of the best-selling memoir, "Catch Me If You Can." He is one of the world's most respected authorities on the subjects of fraud, forgery and cyber security. Trusted by the FBI for more than four decades, Frank also lectures at the FBI's Academy and field offices. His newest book, "Scam Me If You Can," offers simple strategies for outsmarting today's rip-off artists.

Like this story? Subscribe to CNBC Make It on YouTube!

Don't miss:

This former FBI agent shares her best tips to avoid scams
VIDEO1:0701:07
This former FBI agent shares her best tips to avoid scams