How to Hack-Proof Your Passwords

Note: Consumer Reports has no relationship with the advertisers on this site.

More than half of ¿U.S. adults have six or more password-protected accounts online, our latest survey shows. Who can remember the passwords? You try by keeping them short and sweet: your pet’s name and “123.” You use the same one for multiple accounts. And you keep them in your wallet for easy access.

You’re not alone. In our survey, 32 percent of respondents used a personal reference in their passwords, almost 20 percent used the same password for more than five accounts, and 23 percent kept a written list of passwords in an insecure place. The national survey of 1,000 adults was conducted in October by the Consumer Reports National Research Center.

Trouble is, such practices expose you to the kinds of attacks that today’s hackers have been launching against websites. When hackers get your passwords, they gain access to your accounts.

It doesn’t have to be that way. Read on to learn the best and worst types of passwords, how to create strong ones, where to store them for safekeeping, and—better yet—how to remember them.


Your chances of having a password stolen on a given day are probably slim, but the risk is real and growing. To understand why, you need to know how today’s hacker works. No, he doesn’t sit in a basement, attempting to sign into your account by pounding away at a keyboard until he stumbles upon your password. Most likely, he breaks into an insecure website that has many passwords on file, including yours. Then he finds out many of those passwords using highly sophisticated password-cracking software and a souped-up computer. Here are some of the most troubling developments we’ve discovered:

Poor website security. It’s widespread. According to the Privacy Rights Clearinghouse’s chronology of data breaches, more than 312 million data records were exposed over the past six years by hackers breaking into sites. (Not all records included passwords.) In a study of more than 3,000 sites published last winter by Whitehat Security, a California-based firm that helps companies protect sites, most were exposed to a serious security vulnerability every single day of 2010. Banking and health care sites performed the best; retail and financial-service sites performed below the overall average.

One in seven sites studied were vulnerable to a prevalent attack known as SQL injection, in which the hacker penetrates an organization’s computer by tricking it into executing the hacker’s own programming instructions. SQL injection was used to hack into the Sony Pictures site last year, as well as into the sites of Nokia, Heartland Payment Systems, and Lady Gaga, according to the September 2011 Monthly Trend Report by Imperva, a California-based security firm that helps companies prevent data breaches.

—Subscribe to or check out Consumer Reports’ electronics buying advice.