Trying to reach WHNT News 19? Our phones are down right now, but you can contact us by email here

Tips for stronger passwords and how to protect your online information

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

HUNTSVILLE, Ala. (WHNT) – This week we learned a Russian crime ring stole 1.2 billion username and password combinations. The hack is the largest of its kind and is raising new awareness of the vulnerabilites of the web.

Experts tell CBS News and the Associated Press there are a number of things consumers can do.

The first priority? “Change all passwords immediately,” advises Adam Levin, chairman of identity theft protection and remediation firm IDT911.

Here are some tips, courtesy of and the AP, for crafting the best possible passwords going forward:

  • Make your password long. The recommended minimum is eight characters, but 14 is better and 25 is even better than that. Some services have character limits on passwords, though.
  • Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark, if the site allows. “PaSsWoRd!43” is far better than “password43” — although increasingly sophisticated hackers may still be able to crack it.
  • Substitute characters. For instance, use the number zero instead of the letter O, or replace the S with a dollar sign.
  • Avoid words that are in dictionaries; there are programs that can crack passwords by going through databases of known words. One trick is to add numbers in the middle of a word — as in “pas123swor456d” instead of “password123456.” Another is to think of a sentence or phrase and use just the first letter of each word — as in “tqbfjotld” for “the quick brown fox jumps over the lazy dog.”
  • Avoid easy-to-guess words, even if they aren’t in the dictionary. Don’t use your name, company name, hometown, or pets’ or relatives’ names. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
  • Never reuse passwords on multiple accounts — with two exceptions. If the password is for one-time use, such as when a newspaper website requires you to register to read the full story, it’s okay to reuse simple passwords. Just make sure the password isn’t unlocking features that involve credit cards or posting on a message board. The other exception is to log in using a centralized sign-on service such as Facebook Connect. Hulu, for instance, gives you the option of using your Facebook username and password instead of creating a separate one for the video site. This technically isn’t reusing your password, but a matter of Hulu borrowing the log-in system Facebook already has in place. The account information isn’t stored with Hulu. Facebook merely tells Hulu’s computers that it’s you. Of course, if you do this, it’s even more important to keep your Facebook password secure.
  • Use two-step verification. Some services such as Gmail offer this option, in which the service sends a text message with a six-digit code to your phone when you try to log in from an unrecognized device. You’ll need to enter the code for access before it expires. Hackers won’t be able to access the account if they don’t have your phone. Turn on this feature in Gmail by going to the account’s security settings.


  • Michaelangelo

    There isn’t really much point in rushing to change your password just yet. The vast majority of the companies affected likely do not know that they have been compromised, and changing your password means that it could potentially just be compromised again.

    A wiser course of action is to wait for the company to let you know to change your password so that you can be assured that the vulnerability that allowed the thefts in the first place (likely SQL injections) has been resolved.

  • Michael

    And would you people please stop using your pin number, phone number, or date of birth as a password! At least make the hackers have to work for it.

Comments are closed.