Despite the well known risks of having your online accounts hacked, most people still use short and simple passwords that can be easily guessed. A recent study of 32 million passwords found most were trivial, with the most common one being “123456.” “Password” was number four. This may help explain why we hear about security breaches and identity theft so often.

Experts recommend that every user should use a strong password that is unique to each site and to change those passwords every six months.  A strong password should appear to be random and not include words found in a dictionary.  It should be at least 14 characters long, containing numbers, letters of different cases, symbols and punctuation. An example would be something like “L%7xFv8_&Aqa2cB!j.”

While it might be possible to remember one of these, it’s unrealistic to expect that you can recall such obscure codes for every site; a better strategy is needed. I use a balanced approach that provides good security but is also practical to use every day.  My first step was to divide the Web sites and services I use into three risk categories—low, medium and high.

Low-risk sites

In the low-risk category I put online subscriptions and registrations that capture little personal information about me. Examples include news sites like the New York Times or The Wall Street Journal. Because I access many of these frequently, and may do so from someone else’s computer, it’s important that the passwords be readily recalled. So for this category, I construct a reasonably strong password which can be memorized and use the same password for each site. In the worst case scenario, if some hacker were to break into one or more of these accounts, there would be little or no real damage they could do. 

Medium-risk sites

Medium risk describes sites where an intruder might be able to cause some minor problems and inconvenience, but where nothing vital would be permanently lost nor create a significant monetary impact. This includes online shopping sites like Amazon, social networking sites like Linked-In, and my iTunes account.  I generate a unique and extremely strong password for each of these so that hacking one account would not provide access to any other.

High-risk sites

Anything that could potentially result in a loss of money or of important personal information is in the high-risk category. This includes access to my investment account at Fidelity, my online banking and other financial sites like PayPal. It also encompasses my online backup and file storage sites. For each of these, I create a unique and ultra-strong password of approximately 24 characters (or as long as the site allows). And except for extremely rare emergencies, I only access these accounts from my own computers.

You will need something to help you keep track of these as the typical user will have dozens of entries. Writing them down on a Post-it note or saving them in an unprotected file on your computer only creates further security holes. There are a number of good software tools that will keep them handy and secure, such as RoboForm and KeePass.

I’ve been using RoboForm for many years.  It manages all my passwords and automatically logs me in to any Web site. I can also create multiple profiles with my personal information and credit card numbers, allowing me to fill in long registration and checkout forms with one click. RoboForm encrypts all information and synchronizes it between all my computers. 

While I think we can all agree that creating, managing and remembering passwords and other computer login credentials are a pain, you do need to take appropriate steps to protect yourself.  If you make it harder to get into your accounts then the bad guys will move on to easier pickings somewhere else.

Roman Lubynsky is a technology consultant based in Boston. A frequent speaker and writer on technology topics, he has an MS in Management of Technology from MIT. Roman can be reached at roman@lubynsky.com.