Maybe you used to keep a spare house key under the welcome mat (or a nearby rock) in case you got locked out. Few of us do that anymore. We’ve grown too concerned about home security. But many of us still leave a spare key lying around when it comes to our banking and investment-account security. That “spare key” is in the form of easily guessable passwords for online accounts.

A hacker who gains a bit of your ID information — via a phishing scam, malware or a data breach — may be able to parlay those details into access to your financial accounts. Predictable passwords make a hacker’s task much easier.

What’s a “predictable” password? A 2016 study by the security company SplashData, based on more than five million leaked emails, found that 4 percent of users had this password: “123456.” Many others simply used “password” or “login” or “abc123.”

Predictable indeed. But security experts warn that any normal word found in a dictionary is insecure, because “brute force” hackers employ programs that cycle through every dictionary word to see if one unlocks an account.

Protect yourself

Improving your cyber-protection isn’t complicated, but it does require effort. Here are a few “best practices,” some of which can be used in combination.

  • Stop using the same password for multiple accounts. 
    Employing a single password for different accounts is like handing a hacker a master key that unlocks much of your online world. Even if you take no other step to protect yourself, take this one: “change the locks” by creating a unique password for each account.
  • Start using a password manager.
    Using a different password for each online account will take your security up a notch, but it may drive you crazy. Recalling a plethora of passwords is difficult, if not impossible. Enter password managers. A manager is a software application or online service that keeps track — in encrypted form — of the various usernames and passwords you use. All you have to remember is one master password that will prompt the manager to fill in the correct username and password — and any other necessary information, such as an account number — for any account you’re trying to access.

    Depending on how the manager is configured (and whether or not you want to easily sync multiple devices), your encrypted “password vault” may reside locally on your computer (or smartphone) or on the remote servers of the password manager company. The arrangement you choose comes down to personal preference. Some users don’t want their information “in the cloud” even if it’s encrypted and undecipherable. Others find the simplicity of cloud-based syncing to be a reasonable trade-off to any heightened security concerns about their data being stored remotely.

    For information about the most popular password managers, see the table below. They all work on the major operating systems and have plug-ins that integrate into the leading browsers.

    Most Popular Password Managers

    Dashlane Yes, for a single device $40/year, adds multi-device syncing Local or cloud storage Excellent design and intuitiveness
    LastPass Yes, includes multi-device syncing $12/year, adds authentication options Cloud storage only Clean, easy-to-use interface
    1Password No, free trial only $36/year for individual, $60 for family Local or cloud storage* Excellent design and intuitiveness
    RoboForm Yes $20 for 18 months Local or cloud storage Easy to use, not as polished as Dashlane or 1Password
    KeePass** Yes No Local storage only Requires fair amount of tech know-how to set up
    *1Password offers both cloud-based and non-cloud-based syncing methods.
    **KeePass is an open source password manager. Some features are available only via third-party plug-ins.
  • Create better passwords. 
    Password creation always involves finding a middle ground between security and memorability. The more random (and longer) a password is, the more secure it will be. But will you remember it?

    Most password managers can generate secure, unique passwords. However, if you’d rather generate your own by building on words you choose, you can use an online tool created by researchers at Carnegie Mellon University. The “Password Meter” not only gauges how strong or weak a particular password is, it suggests specific ways to make a password more secure by means of relatively minor changes, such as inserting a random character in a random position, toggling a character from lower to upper case, adding punctuation, or moving any digits from the end of the password to somewhere in the middle.

    Example: If you use NiagaraFalls93 (because you honeymooned there in 1993) the Password Meter might suggest changing it to Ni93!agaraCFalls.
  • Stop using passwords altogether and switch to passphrases. 
    Passphrases are sequences of words that use natural language and (if allowed) spaces, such as “God owns it all; I am a steward.” A good phrase has the virtue of being memorable, while at the same time containing enough characters to frustrate hackers.

    You could choose a quote from a favorite book, a rhyming couplet, or a phrase that has particular meaning within your family. But, as with passwords, don’t use the same passphrase for multiple accounts, and avoid anything too well-known or guessable — such as “The Lord is my shepherd.”

    Worth noting: Although some websites don’t allow passwords or passphrases longer than a certain number of characters, most password managers do allow longer phrases. So if you use a password manager, you could create a highly secure master passphrase that will unlock the shorter passwords required by certain sites.
  • Employ two-factor authentication (2FA). 
    This approach (sometimes called two-step or multi-step verification) adds an extra layer of security by requiring a user to submit a second “factor” — beyond username and password — to prove identity. Typically, the second factor is a unique numeric code sent to a phone via text message. Authentication also may be biometric, requiring a fingerprint or facial recognition. Enabling 2FA on your accounts will make it more difficult for anyone other than you to gain access.
  • Keep a backup of all your login information. 
    It’s wise to have your passwords and passphrases documented somewhere. Security experts offer two bits of advice: 1) Don’t write them down in a notebook that you keep next to your computer(!), and 2) Don’t store your password information in a non-encrypted document on a cloud server such as Google Drive or Dropbox. If your cloud server were to suffer a data breach, or if you accidentally revealed your cloud login data in response to a phishing scam, all your passwords could be exposed.

    The easiest way to create a secure backup is to store your login information on an encrypted USB flash drive. Most computer operating systems can encrypt data that is being copied to a flash drive. This is known as software-based encryption.

    For stronger security, you can use hardware-based encryption. This involves using a flash drive that has a dedicated processor located on the drive itself. The on-board processor contains a random number generator that creates an encryption key. Prices for such drives range from about $15 up to about $100 depending on capacity.

Just do it

As noted earlier, ramping up the protection of your online accounts isn’t complicated, but you must take the initiative. We suggest setting aside a particular time (perhaps a Saturday morning — call it “Security Saturday”) to get this done before the month is out. To borrow a phrase that is too clichéd to use as a secure passphrase, “Better to be safe than sorry.”