Identity theft. Data breaches. Cybercrime.
Headline fodder for the 24-hour news channels? Sure. But these news headlines also represent very real concerns for anyone who socializes or shops online. Are your passwords among the easiest for hackers to crack? Millions use 12345, qwerty, abc123, 11111, and other simple, memorable passwords, making easy work for cybercriminals.
In practice, no password is truly “unhackable.” But strong passwords and modern authentication methods can make attacks so time and resource intensive that they’re effectively infeasible.
First thing’s first: You can — and should — use strong authentication methods like Multi-Factor Authentication (MFA) or passkeys wherever they’re supported. Traditional MFA uses two factors to confirm your identity when you sign in to your ID.me Wallet. Passkeys, which are phishing-resistant, can replace passwords entirely while providing security comparable to or stronger than MFA.
We asked the ID.me Security team to share guidelines to help you create strong, unique passwords, not only for your ID.me Wallet, but for all your digital accounts.
Create strong passwords
As technology changes, hackers continuously evolve their strategies to gain access to your accounts. To stay ahead of cybercriminals (or at least keep up), your passwords need to be strong enough to act as the first line of defense.
A few years ago, password guidance emphasized short but complex passwords with random letters, numbers, and symbols. Today, best practice has shifted. As of 2024, the Identity Theft Resource Center (ITRC) recommends using unique passphrases of at least 12 characters for every account, prioritizing length and uniqueness over complexity alone.
Research from Hive Systems shows that longer passwords significantly increase resistance to brute-force attacks. Under common cracking assumptions, passwords that are at least 12 characters long and include a mix of numbers, upper- and lowercase letters, and symbols can take years or longer to crack, depending on the hashing method and attacker resources.
However, the estimates in the graphic above assume an attacker has obtained a password hash and can attempt guesses offline using modern GPUs. Today, online attacks against ID.me and most major platforms are heavily rate-limited and monitored, making brute-force attempts far less practical.
Here are some other tips for strengthening your password to secure your ID.me Wallet:
- Ensure your password isn’t reused for multiple accounts. If you use the same password on multiple websites and a hacker gains access to one, they can quickly try the same password on other accounts. Reusing passwords makes easy work for hackers. Even slight changes to passwords will considerably lower the attackers’ chance of success.
- Avoid using information in passwords that can be easily found on social media profiles. This includes things like dates of birth, names of pets or spouses, etc. Hackers can easily find this information and use it to crack your passwords. Using a combination of random words and phrases is a better idea.
- To add even more complexity, use a passphrase instead of a password. A passphrase is a longer sentence, or phrase, that can generally include spaces (check application guidelines). Because of their length (the FBI recommends you use as many characters as the system will allow) and because they’re generally much more memorable, passphrases are much more secure than regular passwords.
- Another pro tip: Try a password manager. These software applications help you manage, create, store, and secure your passwords, usually with just a single sign-on to remember. ID.me Members can save on these popular password managers. Check it out here.
Add a passkey to protect against phishing
Even the strongest password can be compromised if it’s entered into a fake website or shared with an attacker. Phishing remains one of the most common ways accounts are compromised.
Passkeys and other phishing-resistant authentication methods provide strong protection because they cannot be reused or replayed on fraudulent sites. Passkeys are origin-bound and eliminate shared secrets, making them resistant to phishing attacks.
A passkey replaces passwords and traditional MFA by allowing you to sign in using your fingerprint, Face ID, or a device PIN. You can set up passkeys on multiple devices — such as your phone, tablet, or computer — with each device registered individually and linked to a single ID.me Wallet. For best results, use the latest version of Google Chrome.
Want to learn how to set up a passkey for your ID.me Wallet? Read more here.
Build a strong digital defense
ID.me is committed to enabling all people to have a secure digital identity. We do our part by ensuring your data is safe and that your verified identity is securely used to access organization websites and services.
Protect your sensitive information from cybercriminals by taking the time to ensure the passwords on your accounts are strong and unique. To create strong passwords, use a combination of upper- and lower-case letters, numbers, and symbols. Lean on easy-to-remember passphrases. Avoid using easily obtained information in your passwords, and never reuse passwords across multiple accounts.
You don’t need to change strong, unique passwords regularly unless there’s evidence of compromise. However, if a service notifies you of a breach (or if you’ve reused a password elsewhere), change it immediately. And make sure you add passkey MFA to your ID.me Wallet for an extra layer of security. A little effort in creating a strong password today can save you from a massive headache and financial loss in the future.
