Facebook. Marriott. Under Armour. Last year, cybersecurity breaches seemed to be constantly in the news.

And 2019 is potentially shaping up to be worse, predicts an article in TechCrunch.

Realistically, though, you’re not going to quit banking and shopping online. Chances are you’re pretty fond of social media, too.

So focus on one of the most critical things that leave you vulnerable to hackers—your passwords. 

The problem with passwords

Most people use the same 25 easy-to-crack words.

In our defense, the average person has somewhere between 27 and 90 different online accounts to manage. Coming up with something unique yet memorable for each one is a major hassle.

Hackers are clever, of course. They can often find out the significant dates (birthdays, anniversaries) or names (kids, pets, maiden) in your life via social media or by seeing your password-reset questions on other sites they hack. 

As for single words (“typist” “moonshine”), basic hacking software can guess an eight-digit password made up of upper- and lower-case letters in about 11 seconds, according to a report from the University of Wisconsin’s Department of Information Technology.

And re-using any form of a password—even one that’s hard to guess—is dangerous, too.

Hackers who get into one institution’s system can reuse the password they find there to access your accounts at others “even if you changed it up slightly, say by adding an exclamation point,” says Caleb Barnum, principal fraud consultant at the electronic-payment company ACI Worldwide.

Randomize your passwords

The best passwords have absolutely no connection to anything in your life, no detectible pattern, and include an assortment of upper and lower case letters, numbers, and special characters (such as #, @, and <).

The easiest way to come up with those doozies is to use a random password generator, such as the free one at passwordsgenerator.net. Assuming you don’t reuse the same password for any other account, the password will be practically uncrackable.

Basic hacking software can guess an eight-digit password made up of upper- and lower-case letters in about 11 seconds.

An easier to remember, but still tough to crack, method is to think of sentences you know well—such as the chorus of a favorite song—and create a password from the first letter of each word. For example, “WIGOLMHmyfnWYSBSMAVbgbow” is constructed from the first two lines of the Beatles’ “When I’m Sixty Four.”

With 24 upper and lower case letters, that would take hacking software more than 18 million years to crack, according to the University of Wisconsin data.

Store your passwords in a vault

Browers are relatively easy to hack, so allowing your browser to memorize the passwords for you is a mistake, says Lujo Bauer, professor of Electrical and Computer Engineering at the CyLab Security and Privacy Institute at Carnegie Mellon University.

Cloud-based password managers will log into your accounts to change the passwords for you.

Instead, consider using a password vault, or manager, such as KeePass, LastPass or Dashlane, to save passwords on your computer (free for basic versions, or $25 to $60 for upgraded features).

The main difference between the programs is that KeePass lives on your hard drive and requires you to cut and paste passwords into each website.

LastPass and Dashlane store passwords in the cloud, which allows them to automatically log you into sites you visit from any of your devices. But it also potentially makes them vulnerable to a large-scale hack.

You can lower your risk by enabling multi-factor authentication on any sites that offer it.

However, the cloud-based managers include their own random password generators, and even log into your accounts to change the passwords for you. That’s another important password security step you’re almost surely not taking.

And while there’s no guarantee that a cloud-based system couldn’t be hacked, most of us face a far greater risk from not using a password manager, says Barnum, because we’re so likely to fall back on easy-to-guess logins.

Use multi-factor authentication

Whatever system you choose, you can lower your risk by enabling “multi-factor authentication” on any sites that offer it (including your password manager itself), says Linda Sherry, a director at Consumer Action, a national nonprofit advocacy group based in San Francisco.

That means after you enter your password, you’ll get a code texted to your phone that you need to enter to complete the login. 

Another easy way to add security, Sherry says, is to treat your login ID like a second password. Rather than, for example, using your first name or initial and last name as the login ID for every site, make it a different randomly generated bunch of characters. 

Now you’ve added a second complex password to every account—and made your accounts as secure as you possibly can.