The news that a Russian crime ring has stolen some 1.2 billion username and password combinations makes it more important than ever to take steps to protect yourself online.
Hold Security, which uncovered the data breach, called it "the largest known collection of stolen Internet credentials" ever amassed. The firm did not publicly identify the websites that had been compromised. But with that many usernames and passwords in the hands of hackers, no one can assume their online accounts are safe.
Experts say there are a number of things consumers can do. Top of the list: "Change all passwords immediately," advised Adam Levin, chairman of identity theft protection and remediation firm IDT911.
And don't just swap one weak password for another. Changing "123456" (the most common password of 2013, according to SplashData) to "password" (the second most common) simply won't do the job.
There are more tips for better passwords below. But even if you follow all the recommended security practices, passwords can still be vulnerable.
"Creating a password, no matter how tricky and complex you think it is, is not something you can rely on to stop a very devoted hacker from getting to your data," warns Connie Guglielmo, editor-in-chief of CNET News.
Fortunately, there are some alternatives. A password manager such as LastPass or the 1Password app can help eliminate the chore of keeping track of a long list of complex (and easily forgettable) passwords.
"You log into the password manager, and then it auto-generates and creates and manages all the passwords for you," Guglielmo explains.
CNET's Sumi Das reports some tech companies are hard at work developing systems that could replace passwords completely using biometric technology.
Fingerprint scanners are already in use to unlock phones like the iPhone 5S and Samsung Galaxy S5. A phone's camera could someday be used as a retinal scanner. And a Toronto-based firm called Bionym is developing a device that would use your heartbeat to unlock everything from your car to your computer.
But until that futuristic technology arrives, experts offer these 7 tips for stronger passwords today:
- Make your password long. The recommended minimum is eight characters, but 14 is better and 25 is even better than that. Some services have character limits on passwords, though.
- Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark, if the site allows. "PaSsWoRd!43" is far better than "password43" -- although increasingly sophisticated hackers may still be able to crack it.
- Substitute characters. For instance, use the number zero instead of the letter O, or replace the S with a dollar sign.
- Avoid words that are in dictionaries; there are programs that can crack passwords by going through databases of known words. One trick is to add numbers in the middle of a word -- as in "pas123swor456d" instead of "password123456." Another is to think of a sentence or phrase and use just the first letter of each word -- as in "tqbfjotld" for "the quick brown fox jumps over the lazy dog."
- Avoid easy-to-guess words, even if they aren't in the dictionary. Don't use your name, company name, hometown, or pets' or relatives' names. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
- Never reuse passwords on multiple accounts -- with two exceptions. If the password is for one-time use, such as when a newspaper website requires you to register to read the full story, it's okay to reuse simple passwords. Just make sure the password isn't unlocking features that involve credit cards or posting on a message board. The other exception is to log in using a centralized sign-on service such as Facebook Connect. Hulu, for instance, gives you the option of using your Facebook username and password instead of creating a separate one for the video site. This technically isn't reusing your password, but a matter of Hulu borrowing the log-in system Facebook already has in place. The account information isn't stored with Hulu. Facebook merely tells Hulu's computers that it's you. Of course, if you do this, it's even more important to keep your Facebook password secure.
- Use two-step verification. Some services such as Gmail offer this option, in which the service sends a text message with a six-digit code to your phone when you try to log in from an unrecognized device. You'll need to enter the code for access before it expires. Hackers won't be able to access the account if they don't have your phone. Turn on this feature in Gmail by going to the account's security settings.