News flash: We have some risky password habits.
CNET's latest survey shows that almost half of US adults (49%) have risky password habits. Even worse is that 24% admitted to using a password that's shared with another account.
That's troubling to Attila Tomaschek, CNET software senior writer and digital security expert.
"Reusing the same password across multiple accounts puts users at risk of getting their online accounts compromised through a credential stuffing attack," said Tomaschek.
It may seem OK to use an old password, especially if it hasn't been compromised. Or you may include some personal information to make it easy to remember. But that's a big risk to your data and identity if your password falls into the wrong hands. A hacker getting access to your Netflix account password could lead to access to other logins such as your bank account.
Here's more on CNET's survey findings and our expert's advice for managing your passwords.
- 49% of Americans have risky password habits
- 24% of US adults use the same password for more than one account
- 25% of US adults use a random password generator, a practice CNET experts recommend
What password habits are putting us at risk?
CNET's survey found the risky password habits US adults most commonly turn to include reusing a password across different accounts or using personal data as part of a password. While 24% said they use the same password for different accounts, 8% admitted to using a password that they know was compromised in a data breach.
"If a malicious actor gains access to a user's login credentials on one account, they could use those same credentials to gain access to other online accounts that share the same credentials," said Tomaschek.
Read more: 184 Million Passwords Leaked for Google, Facebook, Instagram and More. How to Protect Your Accounts
US adults are also using personal information as a part of their passwords including birthdays or anniversaries (15%), a pet's name (14%), part of the user's name (11%) or a family member's name (11%). Less common password practices include using a password that contains a previous or current street address (6%), a child's name (6%), a common sequence such as "1234" (5%), the word "password" (3%) or the name of a college or professional sports team (3%).
Using personal data in your password may help you remember your login but it also makes it easier for hackers to access your account.
"This is especially risky considering the wealth of information that many people share online through social media and other outlets," said Tomaschek. Creating a unique password for each account can minimize that risk.
Companies have an alternative to passwords
Some companies are getting rid of passwords altogether and introducing an alternative -- passkeys.
We're already familiar with passkeys as another way to access accounts. Facial recognition, biometric credentials or PIN numbers for devices are all common passkeys. It could be a safer measure to protect your accounts since the passkey is linked to your device and account, and the information isn't stored on the web. It also takes the guesswork out of remembering or creating long passwords.
Microsoft is already moving toward passkeys and giving users a heads-up that passwords will be deleted. Any passwords you want to keep will need to be saved on Edge, but will be deleted from the Authenticator app. Starting this month, you won't be able to save new passwords in Authenticator, and next month you won't be able to use Microsoft's Authenticator autofill feature. By August, those passwords won't be available.
How to create a strong password without forgetting it
Not all US adults have lazy password habits. CNET found that one-quarter (25%) of US adults go with randomly generated passwords when creating one, for example, from an online service or Internet browser. That's welcoming news to Tomascheck, who said this is one of the safest options. Randomly generated passwords are substantially more difficult to guess than a user-created password, Tomaschek said.
"A good password generator will offer options for the user to customize the length of the password and whether numbers and symbols are incorporated," he said. "The longer and more complicated the generated password, the better."
However, a randomly generated password can be impossible to remember, so Tomaschek recommends using a password manager to store each of your unique passwords. CNET recommends Bitwarden as its top recommendation.
Tomaschek uses 1Password. He likes the interface and the family plan. "Though it's technically second on the list, I think it's just as good as Bitwarden," Tomaschek said.
You may also consider using a passkey, which some companies, like Microsoft, are moving toward a safer alternative to traditional passwords. Passkeys use biometric data like your fingerprint or facial recognition instead of a traditional password to log into your account. Some retailers and service providers already use these measures as a form of two-factor authentication.
Read more: No Password Manager? Learn How to Protect Your Online Accounts and Make Logging In Simple
The US Cybersecurity and Infrastructure Security Agency recommends making each password 16 characters or longer. Also, use a random mix of numbers, letters, special characters or words. If your password has been compromised, change it right away and keep an eye on any other accounts to make sure they're not impacted.
English (US) ·