As a result of various data breaches over the past several years, cyber criminals now have access to billions of usernames and passwords they can use to break into internet users' various accounts.
Wired reports that more than 2.2 billion unique user names and associated passwords, uncovered in data breaches such as those that occurred at LinkedIn, are now being shared freely among hackers around the world.
If you're still using passwords you've used for several years, it's likely that your credentials may turn up on one of those lists.
But even if your favorite password hasn't yet been compromised, that doesn't mean it's secure.
As most of us conduct more and more personal and financial business online, high-quality, secure passwords are crucial for protecting our information, identities, and finances.
One of the most common ways scammers get access to your personal data or break into your online accounts is by guessing your passwords, said Karl Mattson, chief information security officer at City National Bank.
To protect your finances and other online accounts, it's crucial to develop safe, effective passwords and protect them appropriately.
The first step toward protecting any account — whether it's your highly valuable investment account or your Amazon account — is creating an effective password, which has four crucial qualities.
The key to a strong password is length. Each password you use should be at least 12 characters long, Mattson said. “Complexity, numbers, special characters and a combination of uppercase and lowercase letters can help, but a hacker's ability to crack a password is really based on its length."
In addition to making passwords 12 characters or longer, it can be helpful to think in terms of “passphrases" rather than passwords when developing secure credentials. “Don't use regular English," Mattson said. Instead, combine words, numbers and symbols to make unique, lengthy password phrases.
For example, take the phrase “Myfirstdogwasblack" and add complexity by altering it to “My.F1rst.D0g.W4s.Bl4ck."
When you've come up with a strong, difficult-to-guess password that you can personally remember, it's tempting to use the same one over and over on your various online accounts.
But that's not a good idea, given the frequency of data breaches.
"It's important to have a unique password for every account and service — particularly for online banking," said Laurie Pezzente, chief security officer at RBC. "Cybercriminals will steal or purchase stolen passwords since they know many people reuse passwords on multiple websites. They will typically attempt to use those stolen passwords on online banking sites."
When a password has been compromised on one site, it's open to attack on any other site where it's used.
“Once a breach happens, you should consider your username and password combination for that site to be compromised forever, because that data will be available to hackers forever," Mattson said.
It's also tempting to keep using the same password for years, unless your bank or other vendor requires you to change it on a regular basis.
But don't give in to that temptation. The most secure passwords are those that are regularly updated.
However, you don't have to update every password on the same schedule: Mattson recommends rotating passwords for critically sensitive sites (such as online banking or investment accounts) every 90 days. For less sensitive sites, such as Netflix or Hulu, rotate about once a year.
With so many requirements, it may feel overwhelming to remember each of your passwords for all of your accounts. Fortunately, online password management tools simplify the process for keeping lengthy, difficult and unique passwords for each online account.
If you're having to remember and keep up with all your passwords on all your accounts, it's almost impossible to have a highly unique, difficult-to-guess password for each one.
But just as technology allows us to manage all these different accounts online, it can also help us securely keep up with all those passwords.
Password managers such as LastPass, Dashlane, 1Password and KeePass charge minimal fees (approximately $20 to $40 per year) to keep track of all your passwords. These tools help you develop simple and secure passwords and remember them all for you so that you don't have to keep up with them.
“Password managers don't necessarily add to the security of your passwords, but they do allow you to use different passwords more functionally," Mattson said. “They are typically a safe place to keep your passwords, but they don't help you change passwords on a regular basis - so you have to do that yourself."
Your internet browser may be an easy place to store passwords for free—but Mattson said it isn't as safe as a password manager.
Developing strong, secure passwords and rotating them on a regular basis can help protect your accounts, but as technology has evolved, there are now even more tools to provide additional protection.
One of those tools is multi-factor authentication, which requires users to present two or more types of evidence to gain access to a site or network. That may mean inputting a password as well as a code sent to your mobile phone.
“If you're using multi-factor authentication, breaking into your online account is extremely difficult," Mattson said.
It can be cumbersome to use multi-factor authentication with every single site you log into, but is highly recommended for any site that offers a two-factor option. That includes banking, investment and credit card sites, as well sites where you pay taxes or other bills.
You may also include two-factor authentication for your social media sites to help prevent identity theft. If you own a business, it also helps prevent hacking of the business pages that you manage through your personal accounts.
Another evolution in security for online accounts is the addition of biometric logins, such as the ability to log in using your fingerprint (touch ID) or facial recognition, rather than a password.
“Touch ID and facial recognition are orders of magnitude more secure than any human-created password," Mattson said. “That biometric and personal information never leaves your phone."
Biometric logins are more accessible via mobile apps than while using a computer, but if you want to implement touch ID or facial recognition, growing numbers of companies are allowing users to log into sites on their computers by using their smartphones for authentication.
Mattson recommends opting for biometric logins whenever possible, and predicts that passwords will become far less important as facial recognition and touch ID credentials become more widely used.
If you think you may have compromised passwords, report your experience to your financial institutions and immediately update all of your passwords.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.