Today is National Change Your Password Day. Hope you got your special someone something nice.
Yes, this is yet another made-up holiday pushed by the cybersecurity industry. On top of that, it comes just days after Sunday's celebration of Data Privacy Day. But it's still a good reminder of the importance of setting long and unique passwords for all your online accounts.
That said, you don't have to mark today by changing all your passwords. For many people, that would be a lot of work, and experts say that in most cases it's also unnecessary.
For years, security professionals recommended that consumers change their passwords every few months. The thinking was that doing so would limit the potential damage if one of those passwords were to be compromised. Cybercriminals would have a limited amount of time to use that password, even if nobody ever figured out it had been stolen.
But what these security pros eventually figured out is that the more often people are forced to change their passwords, the more likely they are to set bad ones. Most experts now believe that it's better to set great passwords for all your accounts just once and let them be, unless of course you later find out they've been compromised.
Need some help? Sign up for a password manager. Both free and paid options are available. Many internet browsers can also help you out with this task, though they don't always work across your various devices.
For folks who want to go it alone, here are some tips for setting strong passwords and protecting personal data.
Longer is better. At least 16 characters is best. At that point, you don't have to worry so much about password-cracking software. Random sequences of characters are best, but passphrases, such as a combination of three unrelated words, will be OK in most circumstances. Throwing a special character, such as a symbol or punctuation mark, in the middle won't hurt.
Skip the personal details. If you use a passphrase, make sure the words only have meaning to you and don't signify anything important. "Red Sox Rule" might be a great way to show your loyalty to the team, but it isn't a terribly secure passphrase. Don't use your birthday or another significant personal date, because cybercriminals can find them easily. Song titles and famous quotations are also bad ideas. Avoid cliche substitutions, such as using @ for "at" or "a," and $ for the "s."
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the fallout by making sure you set unique passwords for all your accounts. Sure, that could be a lot to handle, since we're recommending 16-character or longer passphrases.
Change can be good. Most experts now say you don't actually need to change your passwords on a regular basis. But they all agree you should change them right away at any hint of compromise.
Keep your details off social media. The more personal details you post, the more cybercriminals know about you. Those little, seemingly unimportant, bits of data could be used to crack your passwords, especially if you did include personal details in them.
While you're at it, stay away from quizzes you see posted on social media that ask a series of seemingly harmless questions in order to tell you what city you should live in or what your ideal vacation spot would be. Sure, they're fun, but they might be collecting personal information that could be used to crack your passwords down the road.
Always, always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called 2FA, and multi-factor authentication, MFA, are being used by a growing number of sites and require someone trying to access an account to also enter a second form of ID.
It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key you insert into your device. Yes, that'll slow you down as you access the account. But it's worth it to keep your account safe.
One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping, a scam in which a cybercriminal takes over your phone number, is on the rise. If a criminal gets control of your phone number, they'll get your 2FA text message, too.