Is a Hacker Stealing Your Password Right Now?

Your password may not be as strong as you think. Read on for ways to protect your accounts and avoid becoming a victim of ID theft.

Close up view of a website login page on a computer screen

by NEA Member Benefits

This has probably happened to you: You get a weird email from a friend with a link to an unknown site. You don’t click the link because it seems suspicious, and a few hours later, you get another email from your friend saying that her account has been hacked. Or worse, your own email account has been broken into and hijacked.

Maybe you’re being hacked right now.

“The only way to completely protect yourself against getting hacked would be to refuse to use computers altogether,” says Audrey Watters, a computer expert who offers advice and information on

That, of course, is virtually impossible in our digital world.

More bad news: The biggest risks come from places outside our control, such as the 2017 Equifax data breach and breaches that affected Target, Marriott and Dunkin’ customers.

Is there anything you can do to protect yourself? “One thing I strongly recommend,” Watters says, “is to use a unique, strong password with every application or account you create.”

Of course that makes sense, but keeping track of all of those passwords can seem so complicated. However, if you ignore that advice, you’re doing so at your own peril.

Are you making these password mistakes?

We asked computer instructor Paul Gil to share some of the most common password mistakes that people make, based on analysis of some major hacking incidents:

1. Using the same password for numerous applications. Once hackers crack a password at one account, they can easily invade others if your passwords are the same. Email is a particularly vulnerable way to get to your other accounts, including bank accounts, Amazon and Apple (iTunes and iCloud).

2. Using only text/number passwords without any non-alphanumeric characters. Fewer than 1% of the people in these hacking cases had used the extra protection provided by inserting a single special character (such as ! @ # $ % ^ & and *) in their passwords. Hackers have “dictionaries” that can quickly crack typical combinations of numbers and letters.

3. Using a common password. Believe it or not, many people use “password” or “123456” as their password. Simple words that you may like—princess, ginger, sunshine, tigger—are used by thousands of other people.

4. Using passwords with fewer than eight characters. Most people have passwords that are six to eight characters long. However, eight characters is considered to be the very minimum for a strong password.

Tips to hack-proof your passwords

There is now software that will generate and manage passwords for you. Watters, for example, uses and recommends the 1Password service.

You also can try some techniques to help you create and remember more complicated passwords. For example, start with a quotation or easy-to-remember saying, then use the first letter from each word. For instance, “I think therefore I am” becomes “ittia.”

Then lengthen the phrase. Gil suggests adding the website or computer software name, turning “ittia” into “ittiagmail.” The final step is to swap out some of the letters with caps, numbers and symbols, producing, for instance, “iTtia1Gm@il.” You also can use the same symbol for a letter or follow a pattern.

Computer security professional Mary Landesman, who recommends passwords of 14 characters, offers a variation of this method. She breaks this string down this way: The first eight characters are common to all passwords, the next three should be customized by category (such as email or bank account), and the last three should be customized by website.

As an example, Landesman takes the phrase “my favorite uncle was an Air Force pilot” and turns it into “mfuwaafp.” Then she swaps some of those characters with symbols and caps. In her example, the core password becomes Mf{w&A5p. Add the category, such as “ema” for email and again swap out a character to get “e#a.” Finally, add the website abbreviation, such as “gma” for gmail and swap out a character, such as “gm%.” Put it all together and the password for your gmail account is Mf{w&A5pe#agm%.

A hacker will look for easier game, i.e., the folks who’ve stuck with “password123.”

To change your passwords, which Landesman recommends you do often, just change the initial core 8 characters on all your passwords.

If that seems too complicated, or if the website doesn’t allow 14-character passwords, use a shorter version as long as it’s at least eight characters and incorporates letters, numbers, caps and symbols. Each added special character provides you more protection.