Password Management Is Much More Than an IT Problem

by , on


Two years ago the CIO at Quest Credit Union  had no problem extending responsibility for password management beyond just the IT department. That’s because C-suite executives were using a password management solution for personal use. Thus getting the the organization aligned with an enterprise password management solution was almost automatically a shared responsibility.

There are many compelling reasons why small and mid-sized businesses (SMBs) absolutely must make password management an organization-wide effort, not just an issue delegated to IT. Unfortunately in many SMBs today, this responsibility is left entirely with IT. In doing so, these organizations run the greater risk of failing to build a risk-aware culture across the organization – an effort aimed at ensuring every employee knows exactly why cybersecurity is mission-critical today.

The landmark Ponemon Institute State of Cybersecurity in SMBs, which polled some 600 SMBs, found that 71% of respondents emphasize password protection and management as important. Surprisingly in 60% of these businesses, IT has no visibility into employee password practices. In SMBs that do have password policies, 65% do not strictly enforce them.

Could the reason be that IT alone does not have the weight or influence to affect password policy enforcement?

A recent report from PwC piles on even further. In its Global Economic Crime Survey 2016, PwC says that all too often non-IT executives are more than willing to pass the buck to IT when it comes to cybersecurity in general, of which password management is a key element.

This is wrong, PwC maintains, adding that responsibility for all aspects of cybersecurity “must be embedded within an organization’s culture.” Non-IT executives must “incorporate cybersecurity into their routine risk assessments and communicate the plan up, down and across organizational lines, ” PwC states.

Juliet Maina, an attorney who frequently writes on cybersecurity and the law, suggests that non-IT executives may put their organizations at risk if they cannot show a concerted effort to involve themselves in cybersecurity strategy, including password management. “Cybersecurity is and needs to be acknowledged as an executive level concern,” she notes. “As the leader of a company, one ought to be aware of the defense strategies that are in place, and ensure that holistic approaches are taken towards ensuring security and the protection of investments. This top-down approach is crucial for success.”

With password management being a key element of an overall cybersecurity strategy, what can be done in practical terms to begin to shift the responsibility for such strategies to a broader coalition of C-suite managers? As it turns out, IT can take the lead in this important, company-wide effort.

Educate, don’t scare. Many C-level executives shun cybersecurity involvement and responsibility because they don’t fully comprehend the supreme value of data in their own organizations – and therefore the dangers of a breach or attack. It’s easy to see why matters like data compliance and regulation might not interest them. Your job as the IT leader is to put those matters in proper context. Non-compliance, breaches and attacks have very real and very costly consequences. The PwC report shows that only 37% of organizations have a management-backed cyber incident response plan in place. Now is the time to distinguish your SMB from the majority of companies where senior management is a silent partner in password management and cybersecurity.

Cybersecurity is mostly about people Ask most C-level SMB executives if their companies are protected and they’ll likely answer, “Sure. We got firewalls and antivirus stuff.” As the IT leader you know the reality is that it is human error, or deliberate acts by employees, that are at the root of cybersecurity challenges. Getting senior management firmly behind a comprehensive password management strategy is one of the fastest ways of reaching virtually every single employee with a powerful, unified message that cybersecurity is everyone’s responsibility. When senior management endorses and funds such a password management strategy, every worker becomes responsible and accountable for cybersecurity.

Cybersecurity is not a one-off. It is one thing to get senior management involved in a password management and general cybersecurity strategy, and another to keep them involved. That’s why part of the education of the C-suite is the message that security is an ongoing, evolving endeavor that needs regular review meetings. These are best led by IT leaders, who are well suited to put changes to the threat environment in concrete business terms. It is this periodic engagement with senior management that can ensure password management and cybersecurity is never again considered ‘just an IT problem.’

20 Fascinating Facts about Passwords

by , on


1) These five user passwords accounted for 3.2 million of the 130 million accounts that were stolen in the Adobe hack of 2013: “123456,” “12345678,” “Password,” “Adobe123” and “12345678.” source

2) An analysis of 11 million stolen passwords for cloud services conducted by Skyhigh Networks found that just 20 passwords constitute 10.3% of all passwords in use.

3) The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13

4) In 2012, a password-cracking experts unveiled a five-server clustered computing environment powered by 25 graphics cards that could cycle through 350 billion password guesses per second.  That means it could try every possible Windows passcode in a typical enterprise in less than six hours. There is no record of anyone building a faster machine since.

5) About 40% of organizations store privileged and administrative passwords in a Word document or spreadsheet.

6) It would take a typical brute-force password cracking program 12 years, four months and 16 days to unscramble the random eight-character password “z7S69s@9.” Source

7) The same password would have taken a cracker built with 1990 technology 6,495 years.

8) In 2020 it’ll take about 9 years, six months and 18 days.

9) Experts believe a quantum computer will be able to do it in less than five seconds.

10) When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end.

11) Two-thirds of people use no more than two passwords for all their online accounts. Source

12) The top 10 most-used password list has barely changed in the last five years.

13) Experts says a great technique for creating a secure password is to use the first letter of each word in a phrase (esagtfcaspitutfloewiap). Mixing in a single random symbol (!*$@) dramatically improves security.

14) Thirty percent of phishing emails get opened. Source

15) Nine out of 10 phishing emails carried ransomware in March, 2016. Source

16) Many experts now believe that frequent password changes actually worsen computer security because people tend to choose minor variations of their current passwords so they’ll be 17 easier to remember.

17) This is a list of the 10,000 most frequently used passwords. If any of yours are on it, your account will be compromised in seconds by any of the most common dictionary-based cracking tools.

18) Retail was the most-targeted industry for phishing attacks in the first quarter of 2016 by more than a two-to-one margin over any other industry. Source

19) An eight-character password using only upper- or lower-case characters has 200 billion potential combinations. Source

20) An eight-character password using a combination of upper- and lower-case characters has 53 trillion billion potential combinations. - Source

Proposed New York Cybersecurity Rules Merit Our Attention

by , on


Regulators in New York State are proposing tough new restrictions on banks that could require them to spend millions of dollars on cyber security protection. We recommend you keep an eye on this proposed legislation in case it becomes a model for other states and industries.

Among the measures in the proposed regulations, which are open for public comment until Nov. 13, are requirements that banks hire a chief information security officer and implement technology to detect cyber intrusions and protect customer data. The proposal contains required minimum standards and allows companies to assess their own risks to some degree. One thing that will get the attention of top executives is that board officers or senior compliance officers will be required to certify the controls are adequate, implying that they may be personally liable if they aren’t.  

The proposed regulation by the New York State Department of Financial Services (DOFS) doesn’t say how the rules would be enforced or what the penalties would be, but it notes that regulated entities “will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.” The annual re-certification rule indicates that regulators are taking this initiative seriously.

Why should you care, particularly if you aren’t a New York-based financial firm? There are several reasons:

  • The DOFS is responsible for more than 1,000 New York-based banks, insurance companies and other financial services companies, including some of the largest financial firms in the world. It also regulates several large foreign banks, including Deutsche Bank and Barclays. Some of these companies are global in scope, and it’s a safe bet that the security policies they adopt at the corporate level will trickle down to subsidiaries in other regions and industries.
  • By making board-level officers directly accountable for security practices, New York regulators are attempting to raise security awareness to the highest levels of the organization. What happens in banking will impact other industries as well, particularly since many directors serve on multiple boards.
  • The DOFS didn’t create this proposal in a vacuum. Regulators took pains to point out that they solicited input from more than 200 regulated banking institutions and insurance companies. It also met with a cross-section of those companies, as well as cyber security experts, to determine the most effective course of action. Three reports resulted, which you can find here.

Not everyone is thrilled with this proposal, and there’s no guarantee it will survive in its current form. But the task of implementing substantive change in the way corporations secure customer data has to begin somewhere, and lower Manhattan is a pretty good start. If these regulations are effective in reducing the incidence of breaches at financial institutions, it’s like other industries will take note as well.


How Password Crackers Work and How to Stay Protected

by , on


Cracking a password may seem like a next to impossible task, but you’d be surprised how easy it can be. There are dozens of password cracking programs on the market, each with their own special recipe, but they all basically do one of two things: create variations from a dictionary of known common passwords or attempt every possible combination using a method called a brute force attack. Let’s look at how each technique works and how to protect against them.

It’s important to understand at the outset, that professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. These files may be protected with weak encryption algorithms, which are not much of an impediment to the determined hacker.

Once criminals obtain a password list they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.

This table of password recovery speeds is truly scary. It shows that a seven-character password composed of upper and lower case letters and digits has 3.5 trillion permutations. While that may sound like a lot, today’s speedy desktop computers can test all of them in an hour or two. An engineering workstation, or several PCs strung together, can finish the task in 10 seconds.

Let’s look at the two most common password-cracking techniques.  

Dictionary Crack

This technique uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords, or those that are discoverable with a bit of personal information. It isn’t difficult to find lists of compromised passwords. Sites like publish them, and much large lists are available on the dark web at little cost. A criminal can probably unlock 10% to 20% of a password file using just the 10,000 most common passwords. In fact, it has been estimated that about 75% of online adults have used one or more of the 500 most popular passwords.

After decrypting the password file, a dictionary attack uses text strings and variations thereof to test different combinations. For example, many people append numbers to their names or user names, which may be stored in plain text. If a user named Robert has the password “Robert123,” a dictionary attack will figure that out in seconds. The software simply cycles through every possible combination to identify the ones that work.

If a little information is known about people in the database, the job is even easier. For example, people frequently use the names of children, addresses, phone numbers, sports teams and birthdays as passwords, either alone or in combination with other characters. Since most people append characters to the end of the password, it’s easy for dictionary cracks to cycle through all of those likely possibilities. Social media is an attacker’s dream. People freely post personal information in their profiles or tweet repeatedly about the sports teams or celebrities they follow. These are natural paths for a dictionary crack to pursue.


Brute Force Crack

This is just what it sounds like: a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be. Machines that can be purchased for less than $1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours. For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations. Some brute force cracking software also uses rainbow tables, which are lists of known codes that can sometimes be helpful in reverse-engineering encrypted text.

How vulnerable are password files to brute force attacks? In 2013 the tech news site Ars Technica gave an editor who had no experience with password cracking a list of 16,000 encrypted passcodes and challenged him to break as many as possible. Within a few hours, he had deciphered nearly half of them. The same list was then given to some skilled hackers, one of whom cracked 90% of the codes in about 20 hours.


Some Good News and Some Bad News

If some of the statistics cited above are intimidating, rest easy. The biggest problem with password protection is that many people don’t use strong passwords. The laws of mathematics dictate that longer passwords are harder to break than short ones, and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation systems is considered impractical to break with today’s technology.

Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – is that computers are getting faster and cracking algorithms are getting better. Five years ago, an eight-digit password was considered strong enough. Five years from now, 18 digits may be too weak.

This is where password management software is valuable. Password managers store passwords of any length and can regularly generate new passwords without the user having to bother to remember them. They can also be protected by two-factor authentication, which is considered to be almost unbreakable in any context.

By the way, in case you’re wondering why password-cracking programs aren’t illegal, it’s because there are perfectly valid and legal reasons to use them. Security professionals employ these tools to test the strength of their own software, and password crackers are widely used by law enforcement agencies to fight crime. As with any technology, these tools can be used for evil, as well as for good.

5 Cybersecurity Tips For Small and Medium Sized Businesses

by , on


Today, the attention of both IT and business managers in organizations of all sizes is fixed on cybersecurity. The reason is simple: Absolutely no organization is immune to cyber attacks in an ever-growing threat environment.

This is particularly true for SMBs. A recent major study of some 600 SMBs unearthed startling findings that more than half of them had experienced a cyber attack in the last year. The origins of the attacks are many and varied, with Web-based attacks, phishing and general malware topping the list.

Managers at small businesses cannot be blamed for feeling helpless against the threats at a time when huge corporations and even government agencies cannot protect themselves. But the truth is, a few simple, common sense tips can and will go a long way to protecting your small business from attacks that are inevitable.

  1. Deploy a comprehensive password management solution. This has to be high on the to-do list, if not at the top. Why? Because all your employees use passwords. And research shows that, left to their own devices, most employees will do a poor job of proper, effective password management, thus leaving themselves and the business open to attack.

For example, employees routinely use the same password for multiple online accounts. They also use simple easy to remember passwords that are very easy to hack.

Carefully chosen, a password management solution should provide IT and/or the business owner visibility into the password habits and practices of employees.  More importantly, the solution will help enforce correct password hygiene while improving employee productivity.

  1. Training is often the missing link. Cybersecurity awareness training is extremely effective in today’s threat environment. There is no excuse for omitting it in a small business because there are fewer employees to train. Training will educate employees on the most common vulnerabilities and attack points. Education should always carry a message of personal accountability so that everyone realizes they have a role to play in securing data and information assets.
  2. Cybersecurity is more than an IT issue. Security is more than just protecting computers and databases. It is about protecting the business. While one person should be responsible for security decisions, delegating cybersecurity in a small business to IT without company-wide support is often a mistake.

It is the business and financial leaders that know what data needs the most protection. Seen this way, cybersecurity is a risk management issue which IT can help address as part of a coalition of company leaders. Security should be tied to business objectives. All this and more is outside the usual purview of IT by itself.

  1. Data, data, who’s got the data? How can any business know if its data is safe if it doesn’t know where data resides and how it is stored? That is often the case today, where various third party and cloud providers store business data for their clients. Always ask, “Where will my data be hosted? Who has access to it? What monitoring is in place to alert me of a breach or unauthorized use? What safeguards are in place to protect me against potential rogue employees at your site?” Also carefully vet the provider’s data encryption policies and procedures. And be sure all your data is encrypted before it is stored in the cloud or anywhere online.
  2. Hackers take the path of least resistance. Often times the path of least resistance for hackers are employee-owned mobile devices. Don’t allow any unencrypted data on mobile phones, whether company-owned or BYOD. Device-based security policies, like those insisting the encryption be enabled at all times, can prevent illicit network access.

Remember: Solutions for complex security challenges don’t have to be complex.

Building a Strong Cybersecurity Posture with Personnel, Technology, and Education

by , on

Written by Guest Blogger, Patty Brogdon


When it comes to cyber threats, it is no longer sufficient to throw technology at the problem, as had been the practice a decade ago. Organizations today are increasingly aware that combining a multi-tiered approach to security is the best bet in keeping their critical assets protected against theft. Here are the top 3 initiatives to keep in mind while building your organization’s cybersecurity posture.


Hiring and retaining personnel skilled in cybersecurity is one of the top drivers for most organizations today.  In fact, C-Level IT executives reported that “security is among the top technology initiatives driving IT investment (29%), nearly equal with cloud computing (30%) and big data/business analytics (27%) according to the 2016 State of the CIO report from

Since the industry is predicting a shortage of IT security personnel, it is imperative that an organization focus their efforts on hiring the best and the brightest – but that may be a daunting feat. According to Computerworld’s 2016 IT Salary Survey there is a severe talent shortage: 23.2% of security pros (12.3% of all IT pros) said that they think the IT talent shortage is the biggest challenge facing the IT industry. Taking steps now to focus on attracting and hiring the best security personnel could go a long way in helping your security efforts down the road. And once you attract that top talent, be sure to pay them a salary commensurate with what the industry is paying.


Technology in the security space is one of the fastest growing sectors, as new technology is constantly being pushed out to address the latest threat. But be careful here – you don’t want a “patch-work quilt” for your cybersecurity posture; i.e., don’t just throw technology at a problem, make sure that you take a holistic approach to the technology you deploy.

For example, upgrading your traditional firewall with a Next Generation Firewall (NGFW) that has IDS/IPS, malware detection, and sandboxing might be a more strategic move than adding additional equipment to do those functions.


Educating your employees on security best practices is vital to the health of your organization’s security posture. Yet, most organizations do not have programs and training in place to educate employees on a consistent basis. This can (and does) have dire consequences.

Phishing attacks, where a hacker disguises themselves in an email designed to look legit, enticing a user to click on a link that contains malware, are numerous. And, they aren’t going away any time soon – simply because they work so well. According to the Ponemon Institute’s 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), phishing/social engineering (43 percent of respondents) were the most common type of cyberattack.

Educating employees and users on password best practices is another significant way you can protect your organization from malicious intruders. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), “63% of confirmed data breaches involved exploiting weak, stolen or default passwords.” It is easy to see why – most users are so overwhelmed by the many passwords they must keep track of on a daily basis, they choose something simple that they can remember. And simple means hackable.

While educating users on proper password hygiene is a must, you can supplement this education and training with a password management solution.  Password management solutions can help to enforce password policies, improve employee productivity and overall enhance your businesses security posture.

10 Reasons Why Password Management Is Essential for Any Size Business

by , on


Password management software is great for consumers, but why is it essential for businesses?  The answer is simple. Knowing that a single breach of a corporate network can have consequences that affect the entire business and everyone who works for it means password management is more important today than it’s ever been.

Password management software stores passwords securely so users don’t have to worry about remembering them. Here are 10 reasons why every business should make this software part of its security toolkit.

  1. People won’t use strong passwords voluntarily.

No one likes to create new passwords, so people tend to go with simple options that are easy to remember. Unfortunately, that also makes them easy to guess. Today’s password-cracking software quickly cycles through common patterns and can even be customized to incorporate known information about the user. Passwords that were considered secure five years ago are easy targets today.

  1. People aren’t good at creating strong passwords.

A password isn’t considered secure unless it is at least 12 characters long and contains a random combination of numbers, symbols, uppercase letters and lowercase letters. Few people have the patience or skill to create unique passwords of that complexity for each account, particularly if they have to memorize them. Password managers have algorithms that automatically generate secure passwords and store them securely so users don’t have to remember.

  1. People use the same passwords repeatedly.

This is an understandable but also a dangerous practice. No one can remember dozens of unique passwords, so people tend to use the same ones again and again. That can be catastrophic in a business environment. It means that a single password compromise can open the gates for intruders to log on to multiple services, stealing information from each one along the way. Using a password management program ensures that users can easily apply different passwords to each service thus limiting the damage should any one of them be compromised.  In addition, password management solutions can monitor password usage and alert management and the employee when good password hygiene is not being practiced.

  1. Lost passwords are a major time sink for help desks.

Experts recommend against storing passwords in unencrypted files or on paper notes, which means that users must commit them to memory. Not surprisingly, people forget. That’s why Gartner has estimated that up to 50% of helpdesk calls are for password resets at some companies, with an average cost-per-reset of about $70, according to Forrester Research. You can imagine how quickly those costs add up.

  1. Password changes are easily recorded.

Many online services ask their customers to regularly change their passwords. This is a sound security practice. Unfortunately, it also creates the need for users to note those new passwords somewhere. Some will invariably fall through the cracks. Password managers help employees manage password changes and updates.

  1. Browser-based password management isn’t secure.

Most browsers today have a built-in basic function that offers to remember passwords. The problem is that browser-based solutions typically don’t have a strong focus on security. Without a password management policy, many users will default to using whatever the browser offers, leaving their credentials effectively out in the open.

  1. Password managers protect against phishing attacks.

Phishing attacks are one of the most effective ways cyber criminals steal login credentials. Phishing emails that appear to come from legitimate services, but that actually direct recipients to bogus login screens that are set up solely to capturing their passwords. Most people are prone to phishing attacks, but password managers aren’t. If the domain name doesn’t match the record within the password manager, it won’t serve up a password.

  1. Password managers can sync to the cloud.

People need to login to services from a wide range of devices, including desktop computers, phones, tablets and even public computers. There is no reliable, convenient or secure way to carry around those credentials other than by using password manager. Quality products provide apps for all major mobile platforms as well as desktop and website access.

  1. They support multi-factor authentication.

Two-factor authentication (2FA) requires users to supplement passwords with a second form of identity, such as the answer to a challenge question or a PIN code sent to their phone. Leading password managers provide various two-factor authentication methods, which will add an extra layer of protection for everything stored in your password manager.

  1. You can monitor compliance and spot problems.

The best password policies in the world are of no use if people ignore them. Enterprise password management systems give IT departments visibility into their employee’s’ password practices so administrators can identify and resolve non-compliant behavior. A single compromised password can lead to disaster. With audit and reporting controls, that need never happen.

Consider how many of these scenarios apply to your business.

4 Best Practices to Strengthen Security Through Employee Awareness and Education

by , on

4 Best Practices

Security managers clearly understand the consequences of poor information security practices, but they often find it difficult to change employee behavior.  Employees typically see security as a nuisance and as a result take the path of least resistance.

Making security a top of mind issue for employees involves a combination of education and behavior modeling. Here are some approaches you can use to raise awareness.

  1. The media reports on major breaches almost daily. Make sure your employees see these reports and understand the consequences of poor security practices. Publish a regular email newsletter listing the most recent incidents and include advice on good security practices.
  2. Communicate the importance of security in as many vehicles and as many times as possible. Send a quarterly reminder under the name of your CEO or CIO. Post best practices and lists of the worst passwords in common areas like coffee stations and near restrooms.
  3. Top executives set the standards for their organizations, so make sure they are on board with your security awareness initiatives. Annual reports and meetings on the health of the business should include updates on the company’s security progress. Ask top executives to kick off your security seminars.
  4. You should consider rewarding employees who attend security training, change passwords when requested, and share news and advice on your intranet. Financial rewards are not necessary; a simple certificate or newsletter recognition is enough.

Security Update for Keeper Browser Extension

by , on

by Craig Lurey, CTO at Keeper Security, Inc. – August 26, 2016

Keeper holds the security of our customers and their data as our highest priority.  To mitigate the possibility of an online clickjacking attack during a browser session, we have updated our Keeper Browser extension.  We have made two security enhancements based on the analysis provided by Tavis Ormandy, a highly-respected security analyst at Google.

Yesterday, we received a report regarding this potential security risk.  It related to a security threat that could potentially be exploited by a clickjacking attack using an on-page feature of the browser extension.  In this scenario, a malicious website with intent to attack the extension could entice a user to click on the Keeper lock icon and take advantage of our “Search” feature with the goal of attempting to extract a credential from the vault.

We immediately addressed and resolved this potential vulnerability by removing the “Search” and “Add to Existing Record” features from the on-page browser extension user interface as seen below:

sign in

Removing the Search feature


add to existing

Removing the “Add to Existing Record” feature


This change has been published on the Chrome, Firefox, Safari and IE extension and will automatically update for all users.

If you have any questions about this extension update, please contact

8 Most Common Password Mistakes to Avoid

by , on

keeper blog

A friend recently told me a scary story about why he changed the password on his account with one of the leading online securities trading firms. He was perusing his six-figure portfolio when it occurred to him that he hadn’t changed his password a while. Quite a while, it turned out; about nine years.

He was further dismayed to realize that the password he had been using all that time –the name of a beloved pet followed by a single number – could probably be guessed by anyone who followed him on social media. For a sophisticated password cracking program, guessing it would be a layup.

Surprisingly, many online services don’t regularly challenge customers to change their passwords, despite the fact that password-cracking technology has advanced by leaps and bounds. Bad guys now follow their victims on social networks to mine keywords that they feed into malicious programs that use machine intelligence to test variations until the door is unlocked. A small fortune may be protected by the cyber security equivalent of tin foil.

No one likes passwords, but they are more important than ever these days. And the ones that worked for you five years ago are probably useless today. If your money, health records or any other personally identifiable information (PII) is at stake, you owe it to yourself to use a secure, random code that a machine can’t guess. As you go about resetting your passwords, avoid these eight common mistakes.

  1. Using the same password everywhere

The easiest way to remember a password is to use only one, but that’s also the fastest route to disaster. Once a successful phishing attack captures that password – and studies have found that as many as 97% of people can’t detect a phishing email – the attacker essentially has the keys to the kingdom. While it’s probably okay to use the same password for sites that don’t store any PII, you should use different and secure passwords in any situation where your identity or financial information could be compromised.

  1. Varying passwords with a single character

This is a trap many people fall into when asked to change their passwords; they comply by changing a “12” to a “13.” Password-guessing programs are wise to this trick and can sniff it out in seconds.

A variation of this dangerous practice is to include a non-alphanumeric character by tacking “!” onto the end of your existing password. That’s the oldest dodge in the book, and password crackers are wise to it. Non-alphanumeric characters should be used within the password, not at either end.

  1. Using personal information in passwords

Avoid using names of relatives, celebrities, sports teams, pet or any other common terms in your passwords. Cracking software automatically looks for the most common combinations like Yoda123. Don’t think that you can protect yourself by invoking personal information like the name of a loved one or your high school mascot. Social networks make it straightforward for crooks to harvest that information.

You also shouldn’t assume that adding a string of characters to a common name is protection enough. Password crackers know this trick and cycle through combinations of common names and numbers until they hit the right one. The only safe password is one with random – or seemingly random – sets of characters.

  1. Sharing passwords with others

You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by “qwerty,” it won’t make a bit of difference. Your passwords are for your eyes only.

  1. Using passwords that are too short

A decade ago, a five- or six-character password was enough to beat most cracking programs, but computers are so much faster now that a six-character password can be guessed by a brute-force attack. Think 12 characters at a minimum.

  1. Storing passwords in plain text

One easy way to remember passwords is to store them in a spreadsheet or mail them to yourself. Bad idea. Have you heard of ransomware? It’s the fastest-growing category of malware. Criminals hold your data hostage until you pay them a ransom. In the meantime, they scour your hard drive looking for anything that resembles a password list. Once they find it, the ransom payment is the least of your problems.

  1. Using recognizable keystroke patterns

“1qaz2wsx” may seem like a pretty tough password to guess until you look at your keyboard and notice the pattern. A random series of letters and numbers must be truly random to have a chance.

  1. Substituting numbers for letters

This used to be an effective technique, but “Spr1ngst33n” doesn’t survive a determined attack any more. The software is on to that trick.

Your best bet is to use a password manager protected by strong encryption. The best ones generate secure passwords for you and give you total protection with two-factor authentication.