Data breaches are up 58 percent in the first half of the year and are on a record-setting pace, according to a new report from the Identity Theft Resource Center.

While that’s a staggering figure, it really doesn’t change what you need to do to protect yourself.

Listen to audio highlights of the story below:

“Your information is out there, it's been out there, and we're in a period of time where the bad guys are using it, and what we all need to do is make sure that we're doing what we can to make it less useful,” said James Lee, chief operating officer at the Identity Theft Resource Center.

Bad computer hygiene compounds the damage when account credentials (i.e., user IDs and passwords) are stolen. Most consumers (82 percent) admit to using the same login credentials across more than one website at least some of the time, according to a global survey of 22,000 individuals by IBM Security released in June. This lax behavior worsened during the pandemic as people stuck at home opened more digital accounts.

“This means that many of the new accounts created during the pandemic likely relied on reused email and password combinations, which may have already been exposed via data breaches over the past decade,” the report noted.

Create a different password on each account, especially if it’s a sensitive one.

If a unique password is compromised, it cannot be used to hack other accounts.

“If you use the same password to log on to your college alumni association or neighborhood Facebook page that you use for your bank account or to connect to your office network, you are needlessly putting yourself in harm’s way,” said Adam Levin, author of Swiped and host of the What The Hack podcast. “And never reuse passwords from work at home, or from home at work. Your desire for password simplicity could put your company, coworkers, clients, and customers in a very complicated situation and prove devastating to the business.”

Create strong passwords, and upgrade your old ones.

A strong password is long—12 characters or more, and strong—a random combination of upper- and lower-case letters, numbers, and symbols.

“If it’s short and easy to remember, it’s not a good password, no matter how clever you think you’re being, such as replacing the letter a with an ‘@’ or a number one with an ‘!,’” Levin said.

Here’s a list of the worst 200 passwords of 2020, and how long it would take to crack each one, according to NordPass, a password management company.

It would take less than a second to crack some of the most used passwords, such as 123456789, password, qwerty, 11111, 00000, 123abc, or iloveyou. By comparison, it would take 12 days to crack ohmnamah23, and that’s far from a secure password (not long enough, no symbols, and no capital letters.)

Use a password manager.

Password management software creates strong passwords and keeps track of them for you. It stores your passwords—encrypted—in the cloud. You only need one master password (better make it a good one) to unlock that vault. (If you forget that password, you might get locked out.)

Some of the best password managers offer free versions. You’ll need to upgrade to a paid subscription to use the browser extension on other devices.

Consider updating your old passwords; chances are they’re weak. I recently went through all my accounts, and frankly, some of the passwords I created years ago (before I understood cybersecurity) were awful. Using a password manager, I was able to update them.

PC Magazine recently published a list of The Best Password Managers for 2021 and The Best Free Password Managers for 2021. Expect to pay an annual fee of $20-$36 for one machine or $45-$60 for a family plan. Most offer a 14-day free trial, so you can test drive the software. Just remember to mark the cancellation date on your calendar, so you don’t miss the deadline.

Another option: Use a free password generator to create strong, unique passwords and store them on your browser. That’s fine if you don’t share a computer.

Most internet browsers allow you to sync those passwords across multiple devices. Apple’s embedded password manager is called “Keychain.”

While the password manager feature on most browsers is convenient, they’re not as robust as what you’d get from a dedicated password management program.

Two-factor authentication is your best defensive weapon.

Even the best passwords can be compromised through phishing attacks or data breaches. Two-factor authentication (2FA) makes stolen passwords useless, because the criminal does not have access to the second identifying factor required to log in, such as a fingerprint or facial scan, or code sent to you by email, text, or dedicated authentication app.

Chester Wisniewski, a principal research scientist at the digital security firm Sophos, recommends taking advantage of two-factor authentication whenever it’s available.

It’s not foolproof, he said, but 2FA can stop most hackers from using a stolen password to access important accounts.

“Even the best password isn't nearly as strong as using a second factor to bolster your online security,” Wisniewski told Checkbook. “While strong passwords are essential when two-factor authentication isn't available, using a second factor is even more secure.”

Remember, only enter a second-factor code when you initiated the log-in process. Otherwise, you could be providing the code to a clever scammer who’s trying to break into your account.

What about identity monitoring services?

With so much stolen data being bought and sold by criminals on the dark web, signing up with an identity protection service may seem like a smart move. The ads for these companies certainly make it sound like you’re incredibly vulnerable without them.

These services provide peace of mind, but “you can do just about everything they can do for you by yourself,” the Identity Theft Resource Center’s Lee told Checkbook.

Don’t get swayed by exaggerated claims about monitoring the dark web. It’s a good bet your personal information is already there; the monitoring service can’t do anything about it.

“It can't stop it. It can't prevent it. It can't undo it,” Lee said. “Your information is there. It's being bought, sold, and shared every day; 30 billion credentials at any given time. So don't worry about that. Worry about what you're going to do to make sure it's not misused—and do everything you can to protect yourself.”

Freeze your credit.

One of the best ways to avoid financial fraud is to freeze your credit files at each of the three big credit bureaus: Equifax, Experian, and TransUnion. A credit freeze (also called a security freeze) locks your credit reports, making it difficult for thieves to open new financial accounts—or anything else that requires a credit check, such a signing up for cable or wireless phone service. Without the PIN you created to unlock those credit reports, a potential lender cannot generate a credit score, and will reject that request for a credit card or auto loan.  

Freezing your accounts is free, easy to do, and you can thaw them whenever you need to apply for credit. A freeze does not impact your credit score in any way, and it does not interfere with ongoing relationships with your current creditors.




Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at