Passwords — you can’t escape them. Logging into Canvas? Enter your password. Checking your email? Password. Online banking? Amazon purchase? Password, password. Passwords are such an integral part of online life, it’s easy to forget how important they are for protecting your digital footprint. According to the 2022 Verizon Data Breach Investigations Report, over 80% of breaches of online sites and apps were caused by stolen or weak credentials. A little password hygiene can go a long way — because getting hacked stinks.

The mere fact of having a password isn’t enough to protect you from cybercriminals. Passwords that can withstand the efforts of bad actors requires some thought and effort. Here are our top 7 tips for creating great passwords that pass the smell test.

1. Don't share. We all know that, right? Except then we write it on a sticky note and leave it sitting around. Or we share it with our computer — "Remember me" lets anyone who has access to your device or browser use your credentials. Parents let their kids use the home computer … who then let their friends use it. People accidentally give out their password when someone who seems legit calls or emails them. Even security-savvy people may be sharing their passwords in ways they don’t realize.
    
2. Be unguessable. It makes it a lot easier to remember your password if it’s short, simple, and uses something related to your personal life, like your last name, birthday, or pet’s name. It also makes it really easy to crack, especially for ne’er-do-wells who take a little time to look you up on social media. Prioritize length and complexity, with a password that is at least 16 characters long and uses a mix of upper- and lower-case letters, numbers, and special characters. Consider a passphrase, which employs length and complexity while being easier to remember. “IReallyLoveMy2Cats&1Dog!” is nearly impossible to break and pretty easy to remember!
    
3. Don’t reuse passwords. It’s hard to remember dozens of passwords, but using a different password for every site or service is vital. Unique passwords ensure that if one account is breached, it doesn’t put the rest at risk. Hackers target sites that are easier to crack and then branch out! If you you’ve used a password for multiple accounts, change them.
    
4. Change important passwords semi-annually. You should change the passwords on important accounts that give direct access to your finances, health or confidential information, or institutional or government accounts every so often, even if you are not required to do so. Pick dates about six month apart to remind yourself to change important account passwords. We suggest Halloween (the last day of Cybersescurity Awareness Month) and the first Thursday of May (National Password Day).
    
5. Trust your gut and react. Strange notices? Purchases you don’t recognize? Posts you didn’t make? Trouble logging in suddenly? If you have even the slightest suspicion someone’s been mucking about in your account, change your password ASAP. One of the first things hackers do after gaining access is to change your password to lock you out. Pitt’s Technology Help Desk or a site’s customer service department can help you change your password and freeze your account, even if you can’t get in. If you can’t contact someone for help right away, report any card linked to the account as stolen. Trust your gut, and act quickly.
    
6. Prevent a password bypass. Many of us would be lost without “Forgot Your Password,” ... and so would many hackers! Guard info used to recover a password as carefully as you guard the passwords themselves. Make security questions tough to crack by lying. (Your mother’s maiden name? How about Avengers or Titanic?) That way, even someone who researches you will be stumped. Avoid those online quizzes where you list all your favorite things – they are a goldmine for social engineering! Don’t log into other sites with your social media or google account! It may be convenient, but there’s no point in having unique passwords if you link accounts.
    
7. Use Pitt Password Manager (LastPass)! If you’re sweating about how you’ll keep track of your passwords if you follow the first six rules, don’t. A password manager does all the work for you, and Pitt IT makes LastPass available at no cost. LastPass will store all your passwords and you only need to remember one (the master password for your vault). With a simple click, it will generate a ridiculous, random password. It can save other info too, like payment methods, account numbers, social security and driver’s license numbers, and anything else you want to keep private! It can even alert you to accounts with identical passwords.
   
   Pitt IT has step-by-step instructions on how to set up an account using your Pitt credentials. Here are a few steps you should take so you can get the most out of LastPass.

• Enable SMS recovery. This is super important in case you ever forget your master password! It will send a text verification to your phone, so can easily reset it.
• Import passwords saved in your browser into LastPass—no need to manually enter them! Just remember to delete the passwords from your browser and then disable your browser’s auto-save after they are imported.
• Enable autofill to makes it easy to retrieve your info from LastPass on all of your devices. Just install the browser extension on your PC and make sure you’re logged in when you go online. With the mobile app, you have to explicitly enable autofill on your device and may have to disable your other autofill options (e.g., Safari autofill).

Stay Safe with Clean Passwords

Passwords are the first line of defense when it comes to cybersecurity. Keep your online life squeaky clean with these tips, and you’ll be coming up roses!

-- By Karen Beaudway, Pitt IT Blogger