Continue reading the main storyVideo

How to Create a Secure Password

Four easy tips to protect your digital accounts from the next breach.
 By Wendi Jonassen, Molly Wood and Vanessa Perez on  Publish Date November 5, 2014. Photo by Mel Evans/Associated Press.

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.
And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.
“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.
The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Security numbers, birth dates, street addresses and passwords — to complete a multistep authentication process and request tax returns and other filings.


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.
Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.
Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.
It may sound counterintuitive, but the truly paranoid write down their passwords.
Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.
Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.
These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.
In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)
With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.
Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.
“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.
It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.
To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.
The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.
But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.