Increased cyberattacks in 2022 have created a high-risk internet landscape. But for many people, hitting "refresh" on their password habits still isn't a priority.
As a cybersecurity advisor, I consistently hear stories about people getting their personal information stolen because they made a simple mistake like using the same password for multiple website logins.
After 20 years of studying online criminal behaviors, tactics, techniques and procedures, I've found that hackers love it when people make these six simple password mistakes:
More than two-thirds of Americans do this, but it only allows data breaches to remain dangerous for years after they happen.
To avoid creating a brand new password for every account, people also tend to reuse passwords with slight variations, like an extra number or symbol. But these are also easy for hackers to guess, and they're no match for software designed to quickly test iterations of your password.
What to do: Develop unique passwords for each of your accounts. While this may feel daunting, password managers can be a big help in designing and organizing your password library.
Many users only create unique passwords for accounts they believe carry sensitive information, or that have a higher likelihood of being breached, like online banking or work applications.
But even basic user information that lives on "throwaway" accounts can contain data points that fraudsters use to impersonate legitimate users. Just your email address or phone number alone can be valuable to bad actors when combined with stolen information from other breaches.
What to do: Protect all accounts — even the ones you rarely use — with one-of-a-kind passwords.
In addition to multi-factor authentication, password managers are essential technologies that can strengthen smart password habits.
These managers can help you create unique, single-use passwords and auto-fill them in the accounts they are tied to — a big leg-up on the 55% of users who manage passwords by memory alone.
Even if you accidentally click on a phishing link, your password manager can recognize the discrepancy and choose not to auto-fill.
What to do: Choose a password manager that fits your personal comfort level and technology needs. A few credible choices that are routinely well-reviewed include 1Password, Bitwarden, Dashlane and LastPass. While they all offer similar functionality, each one differs in extended features and cost.
The best passwords aren't necessarily complex, but they are hard to guess. Passwords that provide the high protection are personal to you and don't contain easily gleaned information, such as your name and birthday.
For example, strong password foundations may be a favorite song lyric or your go-to order at a restaurant.
What to do: Design passwords that are at least 12 characters long and avoid using personal information that can be easily guessed. They should also be memorable to you and contain a variety of characters and symbols.
Even the most complicated passwords can be compromised. Multi-factor authentication creates an extra layer of protection by requiring verification beyond your username and password each time you log in.
Most often, this is done through one-time passwords sent to you via SMS or email. It's an extra step, but it's well worth it — and it creates another hurdle for attackers to jump through.
What to do: There is no way to add two-factor authentication to services that don't natively offer it, but you should turn it on wherever it's supported.
It's easy to think cyberattacks won't happen to you. But given that data breaches and other cyberthreats carry a high risk of identity theft, financial loss and other severe consequences, it's best to prepare for the worst-case scenario.
As long as you're an internet user, you will always be a potential target — and apathetic password habits boost your risk level even further.
What to do: Don't assume you're safe. Keep reevaluating your password hygiene and when new authentication technologies come along, and adopt them early.
John Shier is a senior security advisor at Sophos, and has more than two decades of cybersecurity experience. He is passionate about protecting consumers and organizations from advanced threats. John has been featured in publications including Reuters, WIRED, CNN and Yahoo. Follow him on Twitter @john_shier.