Skip to main content

Trending Financial Topics

7 Ways to Create Passwords That Stump the Fraudsters

5 Minute Read

As the Internet has become more and more an integral part of our daily lives—from online shopping to paying bills and planning family vacations—it has created both unprecedented convenience for users along with unprecedented opportunity for fraudsters.

While it’s not news that cybercriminals are savvy, what is less widely known is the recent surge in large-scale automated cyber-attacks. Their strategy is pretty straightforward. Organized groups of hackers steal a massive trove of usernames and passwords (often from a corporate data breach) and try to “stuff” those credentials into the login pages of other digital services (email, financial, social media accounts, etc.) to gain access and obtain valuable information from the sites’ users. This is called credential stuffing.

One thing credential stuffing means is that online accounts are being “taken over” in droves, typically leaving companies unaware that their systems have been compromised while leaving their customers in jeopardy. For those affected, this type of attack can have consequences beyond the initial damage—such as your credentials being used for identity theft or, if sold, used to commit other crimes.

How has credential stuffing become such a successful mode of attack? The answer is simple: an alarming number of people do not practice effective password creation and management. For instance, far too many of us use the same username and password across different accounts, making us more vulnerable to attackers using one piece of credential information to unlock multiple accounts.

To help you better protect your online information from the growing multitude of cyber-attacks, like credential stuffing, here are some suggestions for strengthening and managing your ever-growing portfolio of passwords.

1. Create lengthy and unique passphrases.
Since length is important for hacking prevention, passwords should be at least 8-10 characters long. As opposed to the usual jumble of letters, numbers and characters that we rarely remember, it’s preferable to use passphrases that have meaning to you but cannot be easily guessed by others. For example, you could use the third line of the second stanza of your favorite song, create a password from the first letter of each word in that line or put together 3-4 random words and separate them with a punctuation character.

2.  Avoid using personal information.
This includes your birthday or social security number, of course, but also your children’s names, home address, favorite sports team or other personal information.

3.  Do not use the same password for multiple accounts.
As pointed out above, if hacked, then repeat passwords make it too easy for credential-stuffing perpetrators to access other associated accounts, such as your financial accounts.

4.  Change your passwords periodically across ALL accounts:
Email, Facebook, LinkedIn, Financial, etc.

5.  Never share your passwords with anyone.
To help better remember them, you can use a password manager tool. However, if you leverage the tool “in the cloud,” do extensive research first to make sure it is secure (encrypted) and reliable.

6.  Use two-factor authentication if offered by account.
This is becoming more and more common, so you might be aware of how it works: in addition to inputting your password, you will need to input a code sent to you via a different channel, like text or email, to gain access. When using two-step verification, consider using hardware like security keys; USB devices that you input into your device when logging into a password-protected account. This way, in addition to your password, inserting the security key into your computer confirms your identity since you have the key in your physical possession.

7.  Take advantage of a security Q&A if offered by the account.
Establish strong answers to the site’s security questions that only you know. (You’ll be very glad you did in the event you forget or can’t find your password).

Staying safe online requires diligence and persistence. Put these practices in place now to keep the cybercriminals at bay.


The contents in this article are being provided for educational and informational purposes only. The information and comments are not the views or opinions of Union Bank, its subsidiaries or affiliates.

Subscribe to Perspectives

Get in touch with The Private Bank

Build a financial partnership to last a lifetime.

Connect with The Private Bank