Looking for advice on how to protect your home and office from cyberattacks? A good place to start is with the people who do this stuff every day on behalf of the United States government.
If you really want to get deep into the details of digital security, read the four-volume Digital Identity Guidelines from the National Institute of Standards and Technology (NIST). It’s a massive document, and much of it is aimed at Federal agencies that need extremely robust security. There’s plenty of practical, easy-to-read information there as well, such as the discussion of how long and complex passwords really need to be. You’ll find those details in the short appendix titled “Strength of Memorized Secrets.”
Also: What caused the great CrowdStrike-Windows meltdown of 2024? History has the answer
The folks at NIST have created a simple Cybersecurity Basics page that boils all that technical information down to a set of crisp guidelines for small business owners and managers.
For a simpler, more practical collection of guidelines, try the Secure Our World website, run by the Cybersecurity & Infrastructure Security Agency (CISA). It’s targeted at an audience of consumers without a technical background, which makes it a solid source of information you can share with friends and family to help them deal with common threats.
I’ve gone through the latest versions of all these documents and put together a list of seven rules to follow when it comes to passwords.
1. Make sure all your passwords are strong enough
What makes a password strong?
- It’s long enough — at least 12 characters, and ideally more.
- It’s random, with a mix of upper- and lower-case letters, numbers, and symbols that are not found in a dictionary and don’t include any part of your name or the name of the service they unlock.
- It’s not easy to guess.
Of all those factors, experts agree that length is the most important. In fact, the experts at NIST say that recent analyses of breached password databases show that having a longer password is far more important than trying to make it complex.
Also: The NSA advises you to turn your phone off and back on once a week – here’s why
Passphrases made up of three or more unrelated words separated by symbols and numbers can be effective as well.
2. Use a password manager
The average person has dozens of passwords. An extremely online person might have hundreds of credentials. No human can memorize even a handful of long, random, unique passwords. This is why you need a password manager, which offloads the work of creating unique, impossible-to-guess passwords and saves them in a secure, encrypted store.
Also: The best password managers of 2024: Expert tested
Technically, a pen-and-paper notebook can do part of that job, albeit with a lot more friction. But a software-based password manager does so much more: it instantly creates truly random passwords, saves your credentials in an encrypted database, and syncs everything across multiple devices.
The most important layer of protection, though, is one that isn’t immediately obvious. Your password manager knows which domain (or domains) are associated with a saved set of credentials and won’t enter a password on a domain that isn’t authorized. So if a skilled attacker crafts an email that fools you into thinking it’s from your bank or broker and you click a link that goes to a fake domain, the password manager will refuse to enter any credentials.
That’s a powerful anti-phishing tool.
3. Never reuse a password
It’s a natural human instinct to have a favorite set of credentials (username and password) that you reuse on multiple sites. Yes, that makes things easier to remember, but it also ensures that a data breach at one site will give attackers access to that set of credentials, which they will in turn try on other sites that weren’t affected by the breach.
Also: When Windows 10 support runs out, you have 5 options but only 2 are worth considering
A good password manager should flag reused passwords and offer to create strong, unique replacements.
Please note: Simply tacking an exclamation point or a number on the end of your old password doesn’t qualify as creating a new password. Neither does creating a new variation on one of your commonly used passwords.
4. Avoid password hints
The whole idea of a password hint is that it’s made up of some word or name or date that is meaningful to you. By definition, that kind of password is easy to guess, and adding a password hint makes the job even easier for someone who wants to break into your accounts.
The best password hint is four words: “Check your password manager.”
5. Change default passwords
One of the most insidious ways for attackers to break into a home or business network is to go through a device on that network, using vulnerabilities in its management interface. That could be your Wi-Fi router, for example, with its default password that’s often just password. IP-based cameras and doorbells you install as part of a home security system are also possible entry points.
If you have any of those devices on your network, replace those default passwords with more robust credentials.
6. Use multi-factor authentication whenever possible
No matter how strong you make your passwords and how carefully you try to protect them from being compromised, stuff happens. (That isn’t exactly how the expression goes, but it’s close enough.)
Also: What are passkeys? Experience the life-changing magic of going passwordless
The most effective protection, by far, is to ensure that no one can sign in to your accounts on a new device unless they can provide a second form of identification, ideally using an authenticator app on a device you own. (Codes sent to your phone using SMS are an acceptable option but are at greater risk of being taken over by a determined attacker.)
You don’t have to 2FA all the things, but you should insist on a second factor for high-value accounts such as email, banks, and brokers.
7. Don’t change your passwords unless you have to
Experts agree that changing passwords regularly isn’t necessary, and that organizations requiring users to change their password for no reason are actually making their networks less secure.
Why? Because people who are forced to change passwords regularly are likely to choose a weak, easy-to-guess password. If you’ve done a solid job of choosing a strong and unique password, there’s no need to change it under normal circumstances.
Also: Switzerland now requires all government software to be open source
So, when should you change your password?
Obviously, you should replace a password if it’s unacceptably weak or if it’s a duplicate of one you use elsewhere. You should also change any password at the first hint that it’s been compromised as part of a data breach.
And, of course, if your IT department or an online service insists on forcing a password change, you should do as they say. Just let your password manager create the longest, strongest password that meets their demands.