Many of us know not to include sensitive information, like our Social Security number or birthday, in our logins (and if you didn’t know, now you do!).
But that’s just the most basic step you can take to keep your information safe from would-be fraudsters. Specific username and password rules can differ from website to website, but these five password and five username best practices are universal.
- No sharing (intentionally or otherwise). This is one time when sharing is definitely not encouraged. If you’re thinking, “Obviously I wouldn’t share my password with someone else,” then consider this a reminder that if your password is easy to share, it might be worth revisiting. Similarly, don’t write your password down, even if it’s just to remind yourself later. You might inadvertently be sharing it with someone who happens upon it.
- Stay unique. Simply put: Use different passwords for different accounts. With how much of our lives takes place online, this can be one of the most difficult practices to follow. While we won’t argue that it’s easier to use the same password across your accounts, it’s also giving scammers a big leg up on opening the door wide to all of your information. Besides, if one of your passwords is compromised somehow, then you only have one to update.
- Passphrase is the new password. Today, the term “password” is a bit of a misnomer. Don’t limit yourself to letters and numbers—try sentences: maryhadalittlelamb. Some websites even let you include spaces: the brown fox jumped over the lazy dog. Which brings us to …
- Go long. Length is better than complexity—though both are even better. A password of 16 or more characters is the recommended length. And whenever possible, use a combination of letters, numbers, and special characters (don’t get us wrong—complexity is still a crucial ally).
- Spelling is overrated. Passwords (and usernames) might be the only places where you receive bonus points for misspellings. Guessing a word is difficult … guessing a misspelled word much more so.
- Hard to guess, easy to remember. We’ve already covered that you don’t want to use sensitive personal information in your logins, but you don’t want to use easily accessible info either, like your name or the start of your email address. If you’re considering a username that would be doing double work—as a social media handle, nickname, even pet’s name—we recommend looking elsewhere. You can use a name that’s easy for you to remember, but just try to find something that wouldn’t be easy for someone who knows (let alone doesn’t know) you to guess.
- Keep it original. As with passwords, the best practice is to use different usernames for different accounts. Even a really unique username if used multiple times can make you easier to track and hack.
- Don’t give any clues. Usernames shouldn’t provide insight into your password. For example, don’t ask a question or open a joke in your username that you answer or deliver the punchline to in your password. (This one’s more common than you might think.)
- Go long (again). As we’ve mentioned, many sites will have their own username (and password) character requirements, but whenever possible, pick a username that is 10 or more characters in length, and include upper and lowercase letters, numbers, and special characters whenever possible.
- Generate it! If you’re struggling with a username, have no fear—online username generators are available if needed. For example, LastPass features a robust username generator tool that offers customizable options (character length, easy to say, easy to read, etc.), and it’s completely free to boot.
We’re all guilty of going the path of least resistance–creating an easy-to-remember username, or doubling up on a password or varying it ever so slightly (we’re looking at you, exclamation point). And we’ll be the first to admit—creating strong logins and keeping them all straight are different things entirely. Thankfully, you’re not alone. There are a variety of free online username and password managers to help keep your passwords secure without ever involving pen and paper.
LastPass mentioned above has one such option. Another great choice is BitWarden. Both will let you sync across multiple devices, and both have versions that are completely free to use. But there are lots of other free and paid resources available—a quick search will turn up plenty of candidates. With a little extra work on the front end, you’ll not only give yourself the peace of mind knowing your information is protected, you’ll potentially save yourself a lot of hassle in the long run.
So, time to delete those desktop Excel spreadsheets and shred those sticky notes. Yes, even the Post-It hiding under your phone (we know all about it … because that’s where we used to keep ours, too).