7 Tips For Creating a Better Password
by Steve Thomas
At SGL Financial we take information security very seriously! As the Chief Compliance Officer I am responsible for overseeing our policies and procedures regarding how we handle our clients non-public personal information (i.e. social security number, account numbers, holdings, etc.).
At our firm, we have established secure and encrypted client portals, we always verify client identities before discussing sensitive information via phone, and we are not allowed to take instructions received only via an e-mail or voice-mail message—among many other protective mechanisms.
Unfortunately, many of our clients aren’t nearly as secure with their own personal information outside of SGL, and especially with their primary point of defense—passwords!
So, how do you create a better password and ensure the highest levels of personal account security?
The following article came across my desk from FINRA (the Financial Industry Regulatory Authority) which publishes investor protection and information articles. I have edited it for our posting, but feel it has some valuable information for all our clients.
How Strong Is Your Password, Really?
Do you use the same password on a number of your accounts? Or refer to your dog Fluffy in all of them? Chances are some, or all, of your login codes could use a change.
Our passwords are a key component of our lives, and as more of the services we rely on everyday move online, the stakes grow ever higher. Here are 7 tips to improve your passwords—and your security online.
1. Create Strong Passwords
Ideally, a password should be at least 12 characters and include a mix of lower case and capital letters, numbers, and special characters such as @, $ or *. It should also be unrelated to any of your prior passwords.
Struggling to think of something? You can use a password generator (there are a number of free options available), or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. For example, you could channel Cookie Monster and go with, W@nT~C0oK13$.
2. Avoid Passwords Containing Info Easily Found Online
Part of having a strong password is not using information someone could easily (or even not-so-easily) figure out by checking out your social media accounts. That means if you constantly post about your dog, Fluffy, don’t make your password “Fluffy_Lv3r.”
Consider the whole extent of the information out there. While “H@rRy*P0tt3r” is generally a strong password, don’t use it if you are a member of a Harry Potter fan club or post quizzes to your page like “What Hogwarts House Would You be Sorted Into?”
3. Use a Unique Password for Every Website or App
You might think a security breach at, say, LinkedIn doesn’t matter—they have your resume, so what? But if you use the same password, or even a similar one, for LinkedIn as you do for your bank account or Facebook or any number of other applications, a hacker can soon find a way to wreak havoc in your financial and personal life.
Need help remembering (and generating) all those passwords? Consider using a password manager app. Many of the available apps will help you generate and store unique passwords for every website. I personally use one called LastPass and a free version is available. If you don’t feel comfortable keeping that info in the cloud, you can also just create a document on your computer and encrypt that with a password. If you are more the pen-and-paper type, you can keep a list at home.
“In some scenarios, writing down passwords isn’t a terrible thing (it’s offline) provided you protect what you have written and where you store it,” said Whitney Hewatt, a lead security engineer at FINRA. “Certainly don’t store such things right next to any systems you use making it easy to find such lists.” During my years as a regulator I can’t tell you the number of times I examined an office and the passwords to various sites the office used were stuck to the side of the computer monitor using sticky notes—not a good idea!
4. Avoid Linked Accounts
What does that mean? That means when you are new to a website and it says you can create a new account, or you can link the account to use your Facebook or Email log in, just create the new account instead.
“Sure, linked accounts are convenient,” Hewatt said. “But convenience comes at a cost.”
When you log in using another account, you are usually allowing that website to have some of your data—whether you realize it or not. That may be a privacy concern and may make identity theft easier. But beyond that, allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
5. Use Multi-Factor Authentication
When possible, use multi-factor authentication, or two-factor authentication, particularly for your email accounts. Many e-mail providers now allow for this, including Gmail, Microsoft Mail, and others.
“Protect your email accounts as best you can,” Hewatt said. “Enable this setting to provide an added layer of security where you authenticate and then have to use another validation process, such as a code sent by text or authenticating app to secure the logon process.”
You should do this whenever possible, but your email account is particularly important. Your email address is also where password resets are typically sent, so it’s imperative that you protect your email address in order to protect all other accounts.
6. Beware Where You Enter Your Password
Be aware of possible risks such as using public kiosks and charging stations when logging on to any site or app you use. There may be malware or virus designed to capture any information you type on the machine. “You never know who manages these systems or how securely they are configured,” said Hewatt.
The same goes for pubic Wi-Fi. Public Wi-Fi might be convenient and easy on your wallet as you look to avoid data overage charges from your cellular provider, but steer clear of entering your password into any website from a public network, be it at an airport or your favorite coffee shop, or in a college classroom or hotel room. Ideally, you should log in through a virtual private network (VPN) if you’ll be working from a public network.
“Until better security solutions are created, traffic on open networks can generally be discovered by anyone else on that network,” Hewatt said. “You may be better off using cellular communications when possible,” he said.
7. Take Note When a Data Breach Occurs
If you hear about a possible data breach of a website or app you use, don’t just assume others were affected, but not you. Take steps to determine if your credentials have been stolen.
You can reach out to the company that was hacked, or use test sites to determine if your credentials were stolen. The website “Have I Been Pwned” is one option that tracks many of the known data breaches. You enter a user name or email address to determine if one of your accounts is located on lists which have already been dumped to the internet for public download.
While we are not “tech gurus” at SGL, we have heard many stories from our clients over the years and we would be happy to discuss any of the above, or our own, security measures with you at any time. Planning for your financial future is important, and keeping your personal information as safe as possible should be included in your planning.