Last updated January 31, 2025
Because even the best password can be compromised (or stolen during a data breach), sign up for multi-factor authentication (MFA). Also, take advantage of passkeys, when offered. Here’s some advice on best practices.
Get Smart About Passwords
Most people use the same password for multiple accounts. Bad idea. If criminals steal your password from one company, they can use it to hack into your other accounts.
“It’s like having the same key to start your car, unlock your house, open your safe deposit box, and lock your desk at work,” said cyber security expert Adam Levin, author of the book Swiped.
At the very least create unique passwords for your most sensitive accounts, such as bank, credit card, investment, government benefits, and social media. They should be long (at least 10 to 12 characters—longer is better) and strong (include random numbers, uppercase and lowercase letters, and special symbols). Avoid common phrases such as LetMeIn, ILoveYou, or LukeIAmYourFather. Don’t use song lyrics, or names of pets or sports teams.
A better option is to use a password manager, which will automatically generate strong passwords and store them in an encrypted digital vault that can be accessed only with the master password you create.
Consumer Reports regularly evaluates password management apps. It currently recommends 1Password Families ($60/year), Dashlane Premium ($60/year), Keeper Unlimited ($17.50/year), and Keeper Free.
Your phone, tablet, and computer probably already have password managers. Most internet browsers also employ them, with options to sync passwords across multiple devices. While these features are convenient, they’re not as robust as a dedicated password management program. Even so, “any tool that encourages you to use unique passwords, and hopefully complex ones, is a win,” said Chester Wisniewski, director and global field CTO at IT security company Sophos. “If you decide to use the password storage feature on Firefox, be sure to set a ‘master password’ to ensure the passwords will be stored safely.”
Use Multi-Factor Authentication
Even the best password can be compromised (or stolen during a data breach). Multi-factor authentication (MFA) is an extra layer of protection that makes stolen passwords useless. MFA means that to log into an account, you’ll enter both a password and use at least one other identifying factor (fingerprint, facial recognition, or entering a code from a text, email, phone call, or authentication app). It’s not foolproof, but MFA can stop most criminals from using stolen passwords. MFA can thwart 99.2 percent of all password hack attacks, according to the latest data from Microsoft.
(If you receive an authentication code when you’re not trying to log into an account, it could mean a thief is trying to break into it. Better investigate.)
Make the Switch to Passkeys
A passkey is a new security tool that provides the most secure way to log onto websites and apps. It replaces passwords with computer code called “cryptographic key pairs.”
With passkeys there’s no string of letters, numbers, and symbols to remember, nothing to lose or inadvertently share, nothing for the bad guys to steal, and no way to impersonate your authentication. Instead, when using a passkey to access a website or app, sign-in verification takes place on your device after you approve it using a PIN, fingerprint, or facial recognition (the same way you’d unlock the device).
Apple, Google, Meta, and Microsoft already support this technology which can be synced across all platforms on all devices.
“Passkeys defeat all of the common attacks that we see today, including phishing and advanced phishing and social engineering,” said Alex Weinert, Microsoft’s vice president for identity security. “Password guessing, password replay, all of those attacks come off the table as people transition to using passkeys.”
Especially Guard Investment and Retirement Accounts
By law, you are largely protected from fraudulent activity on credit card, checking, and savings accounts. If a crook obtains your credit card number and goes on a shopping spree, or steals money from your checking account, you usually won’t be responsible for those losses.
But investment and retirement accounts don’t automatically get regulatory protection from fraud losses, leaving your life savings exposed and vulnerable. And, unfortunately, if theft occurs many investment companies have absurd requirements their customers must meet to qualify for reimbursement.
A few years ago, Consumers’ Checkbook reviewed the websites of nine major investment firms and found two lacked specifics about any policies that might protect their customers from theft. Meanwhile, companies that explicitly offer such coverage often have dozens of requirements to qualify for reimbursement if there’s a problem. You might, for example, have to log in to your account at least once per month, enable MFA, and report theft within a few days. And many investment companies won’t reimburse victims who unwittingly provided their log-in information during phishing attacks or over the phone to con artists.
Enable MFA for these accounts and use your password manager to create and use strong unique passwords for them. Check account activity regularly, and immediately report possible theft or fraud. And check your mail and email often for alerts about potentially suspicious activity.
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.