Are your passwords making you vulnerable?

Meagan Dow, CFA®, CFP™
Senior Strategist, Advice & Guidance

October is Cybersecurity Awareness Month, and almost every article about keeping yourself cybersecure mentions the importance of using strong and unique passwords. But why? And how?

Why strong?

Strong passwords are great for keeping out hackers but more difficult to remember, which is likely why many people default to passwords that are easier to hack, especially if those passwords are short and not at all complex. Hackers can use programs called password crackers that make a high volume of guesses in a short period of time, allowing them to break through this layer of security and access personal information. Cybersecurity firm Hive Systems creates a table each year that estimates how long it would take a password cracker to determine a password using brute force. In their 2023 study, they estimated that an eight-character password of only lowercase letters could be cracked instantly.


Why unique?

If your password is strong enough, do you really need a different one for every website and app? Unfortunately, the answer is yes. If a bad actor obtains a password from one website, they may try it on a variety of other websites — like financial companies — to see if it provides access. If you have a different password for every site and one site gets compromised, you only need to change the password for that site. If you reuse a password, every other account that uses that password is vulnerable.

What are the keys to maximizing security with your passwords?

  • Use numbers, uppercase and lowercase letters, and symbols – Using only numbers or letters makes for a much weaker password, so include a mix of characters to make it significantly harder to guess your password.
  • Make it long – Longer passwords are more secure than shorter passwords, so try to use a password or passphrase that is on the longer end of what’s permissible by each password system.
  • Make it randomly generated or a long passphrase – Randomly generated passwords are significantly harder to guess than the ones we create. This requires a way — such as a password manager — to create and remember them but provides an additional layer of security. An alternative is to use long passphrases (a sentence or string of words), which has the benefit of being memorable while also long.
  • Make it unique – As covered above, accounts on which passwords have been reused can become vulnerable in the event of a breach. Using different passwords for each account decreases your risk of getting hacked.
  • Don’t rely solely on passwords – The best security has multiple layers, and passwords are only one. Set up two-factor or multifactor authentication when it’s available, but especially for sensitive accounts like those for your finances, email and social media. These settings can often be found in the security sections of websites and apps and require you to verify your identity through email, text or — better yet — an authentication app. Especially for sensitive accounts, don’t select “remember this device” when logging in. And remember not to share your passwords or authentication codes with anyone; trusted callers will never ask for it.

Make all of this easier by using a reputable password manager

Security experts generally agree that using a reputable password manager is a reliable way of adhering to password best practices and that the benefits of using one outweigh the risks if used properly. You essentially only need to remember one very strong password: the one to get into your password manager. And you can better secure your password manager by using two-factor authentication for it, making it harder for anyone else to break into it.

Some of the benefits of a password manager include:

  • Vaults for secure information: Password managers hold passwords but also other information that you want securely stored as well. They can hold identification information like passport numbers and driver license IDs, credit card information in case one gets stolen and notes where you keep emergency instructions. 
  • Random and secure password generation: Password managers will generate long and random passwords for each site so you no longer have to come up with unique passwords yourself.
  • Autofill across devices: Once you’ve set them up, password managers automatically fill in your username and password so you don’t have to remember them.
  • Security features: Reputable password managers know their only value is in the security they provide, so they take significant steps, like advanced encryption protocols, to keep your information safe.
  • Secure sharing: Some password managers have features that let you set up family accounts and share passwords and notes securely. For instance, spouses can share passwords for joint accounts while keeping their own accounts private if desired.

It will take time to get your password manager set up, but the up-front cost of time is well worth the time and mental burden it will save later. To find a reputable password manager, do your research and look at various information sources. Once you’ve narrowed your search to a few possible candidates, make sure to do specific research to ensure none of the companies have had any data breaches. Some password managers require a paid subscription, which is not unusual.

There’s no getting around the reality that using secure passwords is more effort, whether it’s on the front end of setting up a password manager or the ongoing work of maintaining passwords yourself. But whether it’s your Edward Jones account or any account you want to keep private, the additional security is well worth the effort. Carve out some time this month to do a password checkup and make yourself a much harder target for cybercriminals.