In the sum­mer of 2012, Mat Honan’s sto­ry of being com­plete­ly hacked became my burn­ing plat­form to up my pass­word game. As a finan­cial exec­u­tive in your orga­ni­za­tion who wants to be seen as a great cyber risk leader, upping your pass­word game sets a good exam­ple for oth­ers.

What’s wrong with the way most peo­ple use pass­words?

1. On the Inter­net, sim­ple, reusable pass­words are not secure enough for any­thing you can’t afford to lose: mon­ey; rep­u­ta­tion; access to the tools that sup­port your dai­ly work flow; even irre­place­able pho­tos.
2. A sim­ple pass­word uses dic­tio­nary words, com­mon names, brand names, any­thing that’s very easy to remem­ber. Sim­ple also means eight or few­er char­ac­ters and stan­dard let­ter sub­sti­tu­tions (e.g., using a “3” instead of an “E” or a “$” instead of an “S”).
3. With today’s stan­dard desk­top com­put­ing pow­er, broad­band con­nec­tions, and easy access to hack­ing tools, your pass­words can be cracked or stolen from you (or from anoth­er site you use) more quick­ly than you real­ize.
4. Using the same pass­word at more than one site is a lead­ing cause of bad Inter­net days. The aver­age web user has 25 active accounts but only uses 6 pass­words to pro­tect all of them. 61 per­cent of Amer­i­cans admit to using the same pass­word on dif­fer­ent sites. Do you use the same pass­word at your online bank­ing or bro­ker as you do for Twit­ter? Bad idea.
5. Even the best pass­word strat­e­gy can not pro­tect you against all attacks. Social engi­neer­ing was the main attack in Honan’s case. Oth­er tac­tics include trick­ing you into using a fake web site or slip­ping some spy­ware on your com­put­er.

The good news: Improv­ing my pass­word habits was eas­i­er than I expect­ed because of a tool called 1Password which I’ll talk more about next week.

My new pass­word habits include using:

1. Pass­words with as many as 50 ran­dom char­ac­ters that are unique to each web site;
2. Non-obvi­ous answers to pass­word reset secu­ri­ty ques­tions;
3. An obscure email account just for pass­word resets; and
4. Google Authen­ti­ca­tor for two-step ver­i­fi­ca­tion with Drop­box, Gmail, and oth­ers.

Over the next sev­er­al weeks, I’ll explain how I adopt­ed these spe­cif­ic meth­ods so you can, too.

Have you already upped your pass­word game? How?