Answers to Password Questions You're Too Embarrassed to Ask


If you didn't know, now you do.

May 4 is World Password Day, an event designed to promote good password habits online because weak logins like "123456" and "qwerty" continue to top the lists of the most common passwords.

The frequent use of weak passwords isn't from a lack of information, however. Results from a Pew Research Center cybersecurity quiz show most people do know better when it comes to password security, but they just choose not to follow best security practices.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

It's unclear whether that's because of laziness or the false assumption "it won't happen to me," despite hacking attempts and security breaches happening daily across the web. But your identity, privacy and finances are at stake, so it's time to get smart. Here are answers to some of those password questions you thought were too dumb to ask.

Why is “password” a bad password? Why shouldn’t I use words as my password? Does using numbers instead of letters make my password harder to guess?

In general, it's a bad idea to make your password a single dictionary word, and that includes "password." When hackers want to crack a password, they can set a computer to try every combination of characters until one finally works. That makes length and complexity some of the most important attributes to a good password.

Try combine letters, numbers and symbols in different ways. Another way to create a memorable but difficult to crack password is to come up with a short sentence. If you're unsure, play around with this website to see what it takes to create a strong password.

Does it really matter if I reuse a password? What if I vary it just a little bit? 

"Reusing passwords is one of the worst things people can do," said Michael Kaiser, executive director for the National Cyber Security Alliance. "Basically, it's using the same key on different locks." 

If one website or account is compromised, the hackers can then try those username and password combinations on other accounts and websites. The 500 million Yahoo users who had their accounts compromised probably wish they had varied their passwords more.

If I can’t remember all my passwords, should I use a password manager? Is it safer?

When just about every website requires a password, it can be difficult to remember them all, especially if you're following the advice above and making them complicated.

If you're having trouble, consider using a password manager. It's safer than writing passwords down in a Word document or email draft. Writing passwords down on paper is marginally better than that, but it could still be swiped by a vindictive ex or burglar or accidentally thrown in the trash.

"Password managers are useful because they give you the ease of access to that information, probably across multiple devices from where ever you may be," said Laura Bate, program associate with the Cybersecurity Initiative at New America.

If you use a password manager, know they aren't fool-proof in terms of risk reduction. Make sure to pick a reputable company. And the password to that password manager should be ironclad and fully committed to memory.

How often should I change my passwords? Does it help security that my job makes me reset passwords every three months?

The logic behind frequent password changes is that if hackers get access, they won't have it for long. But many hackers could be in and out of a network much faster than password changes occur. But according to Kaiser, the emerging consensus is that the more frequently you ask people to change passwords, the worse password practice they use.

If your workplace does require you to reset your password often, you should follow that protocol—but don't get lazy.

For personal accounts, you should change passwords if you feel they need to be changed. But having one strong password is better than a string of weak ones, Kaiser said.

If I need to tell someone else my password, how should I do that?

"Always be skeptical of someone asking for your password," Bate said. "There are very few cases where anyone should ever ask for your password." 

But if it's your spouse asking for the Netflix password, the best way to share that information is verbally and in person. Verbally over a phone call to or from a recognized number is not as good, but Bate said it's still better than through email or a text message—two worst possible ways of sharing a password.

Does two-factor authentication secure my account better?

Two-factor authentication can be a pain, but it's one of the smartest online security tactics, Kaiser said. Start with your email account, the hub of your online life. This is where links are sent to reset all of your other accounts. Most major online email providers offer a multifactor login scheme, so there's no excuse.

"Does it make your account impervious to hacking? No. But it does improve your odds considerably," Bate said.

If available, you should also set up two-factor authentication on any online banking and social media accounts.

Are passwords better or worse than biometrics like a thumbprint?

We already know when left to their own devices, many people create weak passwords and generally fail at managing their own personal security. Biometrics seems like a great way to circumvent that: You can't have a weak thumbprint. But it's important to know biometrics aren't completely hack-proof. Just ask the more than 5 million people who had their thumbprints stolen in the massive Office of Personnel Management breach.

So while you can use biometrics to access your iPhone, for now most online accounts still require a password. And it should be a strong one.

"The truth of the matter is, people know if their passwords aren’t any good," Kaiser said. "If you know, then make a better password."