Want CNET to notify you of price drops and the latest stories?

World Password Day: Here are 4 tips for staying safe online

You can try a little harder than "12345" and "password."

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Even Betty White, World Password Day's spokeswoman, could tell you this: passwords suck.

Perfect passwords are the bane of online life. Every site seems to have a different format, and generating a unique, random password for every account is a pain. You can't do it unless you're a computer yourself.

That's why so many of us don't even bother and fall back on these unsafe practices:

  • Reusing the same password everywhere online.
  • Relying on common passwords, like "12345" and "password" and "letmein." All three are ranked among the worst passwords of 2015 by Teams ID, a password manager company.
  • Sharing your password.

The online public's password habits are so bad, one hacker stockpiled more than 272 million passwords for major email services, including Gmail, Hotmail, Yahoo Mail and Mail.Ru, Russia's No. 1 email service. On Wednesday, researchers revealed he had traded the logins for positive comments on a hacking forum.

A similar incident made headlines in November, when nearly 600,000 Comcast credentials were posted on the Dark Web, a hidden series of websites where criminals go to buy log-in credentials to break into your accounts.

keyboard hand
Enlarge Image
keyboard hand

Please, don't use "qwerty" for a password.

Amanda Kooser/CNET

Troy Hunt, who runs the security website Have I Been Pwned, says the passwords likely came from phishing attacks, a hacker strategy that prompts users to voluntarily hand over their information. He said that's all a hacker with a hoarding mentality needs to gather up millions of passwords, and it's unlikely the email services were hacked to get the credentials.

"We just simply haven't seen a vulnerability that has leaked large scales of email passwords," Hunt said.

Here's how you can take charge of your passwords and prevent your online life from spiraling out of control:

Use complicated passwords

Don't use info, like your pet pooch's name, that can be found on your Facebook page or Twitter account. Randomly generated passwords, preferably ones that use numerals and special characters -- you know, $ and % and # -- are best.

Sure, you could become a mental gymnast and memorize all your passwords. But it might be simpler to...

Use a password manager

Software developers know that few people can memorize complicated, unique passwords for every online account they have. So they've developed password managers, like LastPass and 1Password, both of which can help you use every tip listed here.

Sure, password managers aren't perfect either. LastPass sold itself in October to LogMeIn, three months after hackers stole the hints to users' main passwords and the scrambled versions of those passwords, too. But it's still safer than trying to manage your passwords on your own.

And even if you're using a password manager...

Don't use the same password for different accounts

Hackers know we're lazy. If they steal one of your passwords, they'll try it on all of your accounts. You wouldn't want intruders getting into your bank account just because it had the same password as your Twitter account, would you?

Limit your risk by having unique passwords for all your accounts.

It's also a good idea to...

Change your passwords frequently

If your password is stolen, it almost assuredly will be up for sale on the Dark Web.

That's what happened with the Comcast passwords, although only about a third of them were up-to-date. It would have been even fewer if Comcast customers had changed their log-ins more frequently.

And if you're willing to go that extra step, there's one more thing that's easy to do...

Use multiple factors to log in

There's no way to guarantee that someone won't steal your password. So take advantage of multiple-factor log-ins -- two-step authentication that requires a separate code sent to your phone or email account to complete the process.