The Guide to Creating Highly Protected Passwords & Accounts

As a result of various data breaches over the past several years, cyber criminals now have access to billions of usernames and passwords they can use to break into internet users' various accounts.

Yes, billions.

Wired reports that more than 2.2 billion unique user names and associated passwords, uncovered in data breaches, such as those that occurred at LinkedIn, are now being shared freely among hackers around the world.

If you're still using passwords you've used for several years, it's likely that your credentials may turn up on one of those lists.

But even if your favorite password hasn't yet been compromised, that doesn't mean it's secure.

As most of us conduct more and more personal and financial business online, high-quality, secure passwords are crucial for protecting our information, identities, and finances.

To protect your finances and other online accounts, it's crucial to develop safe, effective passwords and protect them appropriately.


What Makes up an Effective Password?

The first step toward protecting any account — whether it's your highly valuable investment account or your Amazon account — is creating an effective password, which has four crucial qualities.

Password Length and Difficulty

The key to a strong password is length. Each password you use should be at least 12 characters long. Complexity, numbers, special characters and a combination of uppercase and lowercase letters can help, but a hacker's ability to crack a password is really based on its length.

Use Passphrases Instead of Passwords

In addition to making passwords 12 characters or longer, it can be helpful to think in terms of “passphrases" rather than passwords when developing secure credentials. Don't use regular English. Instead, combine words, numbers and symbols to make unique, lengthy password phrases.

For example, take the phrase “Myfirstdogwasblack" and add complexity by altering it to “My.F1rst.D0g.W4s.Bl4ck."

Utilize Special Symbols

Memorize a complex string of symbols, such as &)#@*@*, and incorporate them into longer, phrase-based passwords, sometimes at the beginning, sometimes at the end.

"I am very paranoid about information security, particularly password security. I've been in this field for 30 years and I've never seen so many breaches," said Silka Gonzalez, president of Enterprise Risk Management (ERM), a leading cybersecurity consulting firm headquartered in Miami.

Do not write down your passwords or put them in an electronic file, Gonzalez advised.

She memorizes her passwords with her own system of mnemonic devices. A numeral or symbol can stand in for a letter: A "3" might represent an "E," for instance, or a "$" might mean an "S."

Different Passwords

When you've come up with a strong, difficult-to-guess password that you can personally remember, it's tempting to use the same one over and over on your various online accounts.

But that's not a good idea, given the frequency of data breaches.

"It's important to have a unique password for every account and service — particularly for online banking," said Laurie Pezzente, chief security officer at RBC. "Cybercriminals will steal or purchase stolen passwords since they know many people reuse passwords on multiple websites. They will typically attempt to use those stolen passwords on online banking sites."

When a password has been compromised on one site, it's open to attack on any other site where it's used.

Once a breach happens, you should consider your username and password combination for that site to be compromised forever, because that data will be available to hackers forever.

Update Passwords Regularly

It's also tempting to keep using the same password for years, unless your bank or other vendor requires you to change it on a regular basis.

But don't give in to that temptation. The most secure passwords are those that are regularly updated.

However, you don't have to update every password on the same schedule: Rotate passwords for critically sensitive sites (such as online banking or investment accounts) every 90 days. For less sensitive sites, such as Netflix or Hulu, rotate about once a year.

With so many requirements, it may feel overwhelming to remember each of your passwords for all of your accounts. Fortunately, online password management tools simplify the process for keeping lengthy, difficult and unique passwords for each online account.

Use Password Managers

If you're having to remember and keep up with all your passwords on all your accounts, it's almost impossible to have a highly unique, difficult-to-guess password for each one.

But just as technology allows us to manage all these different accounts online, it can also help us securely keep up with all those passwords.

Password managers such as LastPass, Dashlane, 1Password and KeePass charge minimal fees (approximately $20 to $40 per year) to keep track of all your passwords. These tools help you develop simple and secure passwords and remember them all for you so that you don't have to keep up with them.

Password managers don't necessarily add to the security of your passwords, but they do allow you to use different passwords more functionally. They are typically a safe place to keep your passwords, but they don't help you change passwords on a regular basis - so you have to do that yourself.

Your internet browser may be an easy place to store passwords for free—but it isn't as safe as a password manager.

Be Careful Where You Enter Passwords

Once you have shored up your passwords, keep them secure from hackers. Never access a secure site, such as your bank or brokerage, through an email that purports to be from that institution – even if it displays the proper logo.

Scammers often go after passwords through email “phishing" schemes that ask you to log in and deal with some issue. Then they capture the password you enter into what is actually their fraudulent site.

Passwords are just the first line of defense. If a site offers additional security features, such as secondary or two-factor authentication, enable them. Then when you enter your password, you will receive a text message with a one-time code that you must enter before you can log in.


Protection Beyond Passwords

Developing strong, secure passwords and rotating them on a regular basis can help protect your accounts, but as technology has evolved, there are now even more tools to provide additional protection.

Multi-Factor Authentication

One of those tools is multi-factor authentication, which requires users to present two or more types of evidence to gain access to a site or network. That may mean inputting a password as well as a code sent to your mobile phone.

It can be cumbersome to use multi-factor authentication with every single site you log into, but is highly recommended for any site that offers a two-factor option. That includes banking, investment and credit card sites, as well sites where you pay taxes or other bills.

You may also include two-factor authentication for your social media sites to help prevent identity theft. If you own a business, it also helps prevent hacking of the business pages that you manage through your personal accounts.

Biometric Logins

Another evolution in security for online accounts is the addition of biometric logins, such as the ability to log in using your fingerprint (touch ID) or facial recognition, rather than a password.

Touch ID and facial recognition are orders of magnitude more secure than any human-created password. That biometric and personal information never leaves your phone.

Biometric logins are more accessible via mobile apps than while using a computer, but if you want to implement touch ID or facial recognition, growing numbers of companies are allowing users to log into sites on their computers by using their smartphones for authentication.

Opt for biometric logins whenever possible, and predicts that passwords will become far less important as facial recognition and touch ID credentials become more widely used.

Keep Your Accounts Secure

If you think you may have compromised passwords, report your experience to your financial institutions and immediately update all of your passwords.

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.