Banking Blog

Finance Blogs » Banking Blog » Jean Chatzky: Are your passwords safe?
Jean Chatzky

Jean Chatzky: Are your passwords safe?

By Jean Chatzky ·
Tuesday, August 18, 2015
Posted: 6 am ET

What's your first line of defense when it comes to maintaining your privacy and protecting identity theft? Strong passwords. Many people know that -- yet most Americans are amazingly lax when it comes to using smart passwords.

An example? According to a September 2014 AARP report, 45% of Americans admit to using the same password for more than 1 online account and 49% have not changed their online banking password in the last 6 months -- 2 big no-nos.


"Apathy is the biggest challenge," says Neal O'Farrell, executive director of The Identity Theft Council, a Walnut Creek, California, group that helps fraud victims resolve their cases. It's not unlike locking your front door. Use a poor password and you may as well invite the thieves into dinner.

Why? The bad guys have the same computing power as big business and the government, says O'Farrell. "This isn't the case of a teenager sitting in a basement trying to figure out what your pet's name is."

What's more, thieves increasingly are shying away from bank and credit card accounts where they know security is tight. Instead, password hackers love mining your email.

"If they have your email, they have your family contacts, work contacts, your mom's maiden name, your kids' names, your photo, who sends you alerts, your 2-factor authentications from your bank, your financial adviser and absolutely everything they need to commit all types of fraud using your good name," says O'Farrell.

To make sure that doesn't happen to you, overcome password inertia and take these simple steps.

Use a passphrase. This is 1 of the easiest ways to create and remember various passwords. Come up with a statement about you that includes some numbers, then take the first letter of each word and the numbers to create your password. For instance, "I graduated from Sonoma High School in June 1981" would be IgfSHSiJ1981.

You want at least 12 characters. Because this password is not using a known English word and is using numbers, it takes tons of processing time to figure out. What's more, a passphrase is easy to remember and easy to write down in a notebook.

"People worry about writing passphrases down," says Chester Wisniewski, senior security adviser at the Internet security company Sophos. "But it's much riskier for my mom to use her granddaughter's name and birthday (both easily findable on social media) than keeping her passphrase in her desk drawer where thieves are highly unlikely to get at it."

Don't use the same password across sites. That way, if you do get hacked on one site it won't necessarily compromise everything else you're doing online. True, it takes more effort. But if you are already using a passphrase, you can easily modify that to differentiate passwords and throw off the thieves. In the example above, you could change the "1" to an exclamation point or the "s" to "$." And add more numbers and characters such as "I graduated with honors from $onoma High School on June 29 !981."

The extra letters, numbers and symbols makes a new password and adds days to the computing time it would take to crack the code, says O'Farrell.

Consider a password manager. These tools typically randomly generate strong encrypted passwords for every site you use and keep track of them all. They also kick in when you need to reset any passwords. You need only remember the 1 (also strong) master password that gets you into your password manager. Be sure to change the master password at least once a year, kind of like checking the batteries on your smoke detector, advises Wisniewski.

As for recent worries after the hack of password manager LastPass, experts say password managers are still a better way to go (particularly those like Dashlane, which store your passwords on your own computer or gadget -- not in the cloud.)

Finally, it's always a good idea to track your credit report to make sure nobody is opening new accounts in your name. You can check your report for free at myBankrate.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.