Bureau Home / Consumer Tips and Information / Computers and Internet or Identity Theft / Creating Strong Passwords
This content is also available as a downloadable
fact sheet PDF.
Acceda a esta página en español.
Passwords are the first line of defense in protecting you against cyber criminals (hackers) while conducting online transactions (i.e. banking, paying bills, or making purchases). If hackers gain unauthorized access to your computer, they can view your personal information; impersonate you and send messages to your friends; change your password and block you from accessing your own account; steal your identity; or infect your files with viruses. Therefore, it is vital to pick strong passwords that are different for each of your accounts and to update your passwords regularly.
Here are some tips that will help protect your online transactions:
Use a unique password for each of your important accounts like email and online banking
Choosing the same password for each of your online accounts is like using the same key to lock your home, car and office – if a criminal gains access to one, all three are compromised and can lead to identity theft. Do not use the same password for an online newsletter that you use for your email or bank account. It may be less convenient, but picking multiple passwords keeps you safer.
Create a strong password by combining numbers, letters and symbols
Strong passwords are easy to remember but hard to guess. Make your password strong to help keep your information safe. Adding numbers, symbols and mixed-case letters makes it harder for cyber criminals or others to guess your password. Do not use obvious passwords like ‘123456’ or ‘password,’ and avoid using publicly available information like your phone number or the name of a pet, a child or another familiar person. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
Longer = stronger. Your passwords should be a minimum of 8 characters, but the longer you can make them, the harder it will be for a thief to crack your codes. While it is best to avoid using real words as part of your password, if you do, you can try substituting characters for some of the letters, e.g. $ for an S, or a zero for an O. Another way would be to insert a string of characters or numbers in the middle of a real word, thus breaking it up into two non-words.
Try using a phrase that only you know
You could start with “My friends Mary and Jack send me a funny text message every day” and then use numbers and letters to recreate it into this:
MfM&Jsmaftmed – a password with many variations that will be hard for cybercriminals to figure out. Another example would be something like
Iam:)2bH! – this has 9 characters and says “I am happy to be here!” Come up with a system to create your own passphrases. That will make it easier to create new passwords as well as help you remember them.
Adding a cell phone number
Sometimes you can add a phone number to your profile to receive a code to reset your password via text message. Having a mobile phone number on your account is one of the easiest and most reliable ways to help keep your account safe.
For example, service providers can use the phone number to challenge those who try to break into your account, and can send you a verification code so you can get into your account if you ever lose access. Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.
Turn on two-factor authentication if offered
Two-factor authentication is a security process in which you, the user, provide two means of identification – something you have and something you know. Something you have is typically a physical token, such as a card or a code sent to your smartphone. Something you know is something memorized, such as personal identification number (PIN) or password.
Choosing a unique security question
If you cannot or do not want to add a phone number to your account, many websites may ask you to choose a question to verify your identity in case you forget your password. If the service you are using allows you to create your own question, try to come up with a question that has an answer only you would know and is not something that you have posted about publicly or shared on social media. Try to find a way to make your answer unique but memorable – so that even if someone guesses the answer, they will not know how to enter it properly.
Set up your password recovery options and keep them up-to-date
If you forget your password or get locked out, you will need a way to get back into your account. Many services will send you an email at a recovery email address if you need to reset your password. Make sure your recovery email address is up-to-date and is an account you can still access, or have it sent by text to your mobile device.
Keep your passwords in a secret place that is not visible
Writing down your passwords is not necessarily a bad idea, but make sure you put those notes in a secure area. Do not leave them in plain sight or easily accessed.
You may want to consider using a password manager. The most basic password managers are like a lockbox or vault in your computer. You can create unique, complex, strong passwords, even ones you would never remember, for each website you need to log in to. The manager remembers and stores them so when you need them, the manager enters your login information, including the password, so you can safely log in.
These passwords are stored in the manager, secured by one master password that you do need to remember. This facilitates creating strong passwords that you do not have to remember. A much better way to safely store your collection of passwords than writing down on a piece of paper! You will need to research the various products available to see which one has the right combination of features that will work best for you.