Most of us dread the growing list of username and password combinations required to access online services. At best, managing them is a nuisance; at worst, weak or reused credentials can block access to important services like online banking and leave you vulnerable to fraud.
Until we move to a truly passwordless future, strong usernames and passwords combined with an additional authentication factor remain our best defense against identity theft and online fraud. Investing a little time to create unique, robust credentials for each account is one of the most effective steps you can take to protect your identity.
“Enabling strong authentication methods is one thing that I fight with even my own family members about,” says Octavia Howell, vice-president and chief information security officer for credit bureau Equifax Canada. She recommends thinking of usernames, passwords and multi-factor authentication as multiple lines of defense for your online identity.
Multi-factor authentication (MFA) strengthens security by combining different types of verification—something you know (a password), something you have (a phone or hardware key), or something you are (biometrics). If a company you use is breached, MFA can limit the damage by preventing attackers from using stolen credentials to access other accounts. In short, it can greatly reduce the risk of becoming an identity-theft victim.
“It’s not a matter of if, it’s a matter of when your information will be compromised. Most of your information is likely already compromised,” Howell warns. Good authentication habits make it harder for criminals to gather more personal data and impersonate you for fraudulent purposes.
Below are practical recommendations from Howell on what to avoid and what to do when managing your passwords and account security.
Password practices to avoid
One of the most common mistakes is reusing the same username and password across multiple sites. If attackers break into one account, they will try the same credentials on other services. For example, a compromised streaming service password could be used to access your email or financial accounts if you reuse it.
Avoid simple, easily guessed passwords—such as names followed by “123” or predictable special characters. Don’t use your child’s name, a pet’s name, a street address, or common phrases. Modern attackers often use artificial intelligence to test thousands of likely combinations based on the personal information that is publicly available about you.
Best password practices
Howell recommends using different usernames and unique passwords for each online account. The following tactics improve password hygiene and reduce risk:
- Search your own name online to see what personal details are publicly visible—and don’t use that information in any password.
- Create password phrases that are memorable to you but meaningless to others, using a mix of words, numbers and punctuation. Rearrange components so they don’t resemble phrases or items that appear online.
- Where platforms generate strong passwords, consider using those—provided you always access the account from the same device or you store the generated password securely in a trusted password manager.
- Prioritize your efforts: use the strongest, most unique passwords for accounts that hold sensitive information (banking, tax, healthcare). Less critical accounts can be simpler, but still not reused across sites.
- Whenever available, enable multi-factor authentication. MFA provides an extra barrier and often acts as an early warning system if someone attempts to use your credentials.
Equifax Complete Protection
Equifax Complete Protection is an identity and credit monitoring service designed to help Canadians detect signs of identity fraud sooner. The offering bundles credit monitoring with cybersecurity features to give broader protection for personal information.
- Daily credit monitoring and alerts
- Scans for personal data on the dark web
- Social media monitoring
Subscription price: $34.95 per month
For extra password protection
If you want stronger, centralized protection, consider a comprehensive fraud-prevention package that includes a password manager. A reputable password manager stores your usernames and passwords in an encrypted vault that isn’t tied to your email account or browser. Whenever you register new accounts or update passwords, save the credentials to the manager so you don’t have to remember every combination.
Products that combine credit monitoring, dark-web scanning and a password manager can simplify account recovery and ongoing protection. The password manager component helps ensure you use unique, strong passwords across sites and makes it easier to adopt multi-factor authentication on services that support it.
This article is sponsored.
This is a paid post that provides information while also featuring a client’s product or service. The piece was written and produced by MoneySense with assigned freelancers.
Read more about fraud and scams:
- How to protect yourself from identity fraud in Canada
- Mortgage fraud in Canada: how to protect yourself
- Relationship fraud and romance scams: what Canadians need to know
- How to help protect seniors and loved ones from scams