5 essential tips for protecting your online passwords

A login prompt asking for a username and password.
(Image credit: Iurii Stepanov/Shutterstock)

You've heard the advice — likely many times over — that you should create strong, unique passwords for all your online accounts. Yet a significant number of people are still using "12345," "password," and "qwerty" for their emails, bank logins and e-commerce accounts. 

There are plenty of problems with this approach to digital security, one of which is the risk of your personal data being accessed in a credential-stuffing attack. Credential stuffing is a type of brute-force hack in which cybercriminals take login information stolen in past data breaches and use it to systematically try to break into other accounts. 

Data shows that there are 3.6 million credential-stuffing attacks every hour in the U.S. While the success rate is extremely low, the sheer volume of attempts means that plenty of personal information is compromised. Plus, unlike traditional brute-force attacks that rely on random guesses, credential stuffing takes advantage of the fact that people reuse passwords that have already been stolen. 

So what can you do to protect your passwords? 

Use unique passwords

Seriously. More than 80% of people use a single password across multiple websites, but reusing your passwords puts you at higher risk for falling victim to credential stuffing. That compromises your personal data and increases the likelihood of experiencing financial losses and identity theft

"Human nature is to make things easy for ourselves," said Steve Tcherchian, chief information security officer at California data-security firm XYPRO. "We don't like to be inconvenienced. We like fast, we like quick. Therefore, most users use the same or similar username/password combination for nearly all access to websites."

Another way to mix up your username and password combos is to use multiple email addresses instead of relying on the same email for every single login. But you don't have to set up multiple email accounts to do this.

Gmail and Microsoft Office 365 let you use "plus" email addresses for this purpose. So John Smith can sign up for Amazon with "john.smith+amazon@gmail.com" and sign up for Facebook with "john.smith+facebook@gmail.com", but messages sent to each address will land in the inbox of john.smith@gmail.com.

Make your passwords stronger

While you're creating unique credentials for each account, make sure your passwords aren't easy to crack. The most secure passwords are long and complex, which makes them more difficult to guess. Easy-to-remember passwords, in contrast, are extremely weak — even if they're unique. 

Here are a few ways to make your passwords more secure:

  • Make each password at least 15 characters long. 
  • Use lower-case and upper-case letters as well as digits and punctuation marks.
  • Avoid real words and any parts of your name or email address. 
  • Don't use any information that can be found on social media, such as your birthdate or pet's name. 

Use a password manager

If you're relying on your own memory to keep track of many long and complex logins, of course you're more likely to default to a few short and simple passwords. Fortunately, there's a solution.

The best password managers can generate strong, unique passwords for new accounts, remember your passwords for you, and tell you when you're reusing credentials or if your information was compromised in a data breach. 

Password managers also sync across multiple devices, such as PCs, Macs and smartphones. All you have to do is remember the master password (or enable biometrics such as Face ID).

This is more secure than having your browser remember passwords. For example, on a Mac where Chrome uses your Apple keychain, a cybercriminal could get access to everything once they have your Gmail password.

Enable multi-factor authentication

Multi-factor authentication (MFA) adds a layer of security by requiring you to verify your identity with something besides a password when you log into an account on a new device or from a new location. Without this secondary key, a hacker won't be able to get in even if they have your password. Enable MFA or 2FA whenever it's an option. 

As Pieter VanIperen, security expert and founder of PWV Consultants in New York, explains, these keys can block credential stuffing "because your password only gets them to the next door even if they have purchased it and aren't stuck guessing." 

Common second factors of authentication involve temporary passcodes sent to your phone via text or app. While this may seem secure — and it may be better than nothing — it's not that difficult for criminals to intercept SMS or transfer your phone number to their own SIM card. 

Better options include authenticator apps (Google Authenticator works with most major services) or physical security keys like the YubiKey or the Google Titan.  

Heads up: If you're getting notifications to authenticate accounts you're not actively logging into, that's a good indication that someone else is trying to access your information. 

Monitor public data breaches

Keep an eye on security news so you know when your information may be compromised. Then enter your email into https://haveibeenpwned.com/ to find out if your data has been exposed in a public data breach. 

Bottom line

You may not be able to avoid data breaches and credential stuffing completely, but you can minimize the likelihood that cybercriminals will be successful in hacking their way into your accounts. 

Emily Long

Emily Long is a Utah-based freelance writer who covers consumer technology, privacy and personal finance for Tom's Guide. She has been reporting and writing for nearly 10 years, and her work has appeared in Wirecutter, Lifehacker, NBC BETTER and CN Traveler, among others. When she's not working, you can find her trail running, teaching and practicing yoga, or studying for grad school — all fueled by coffee, obviously.