Password security best practices
Weak and reused passwords are the number one cause of account compromise. Learn how to build an unbreakable credential strategy with strong passwords, multi-factor authentication, and password managers.
Know the Threats
Common password attacks
Understanding how attackers crack passwords helps you build defenses that actually work.
Brute Force
Automated tools try every possible combination of characters until the correct password is found. A 6-character password can be cracked in seconds. A 16-character password with mixed characters would take millions of years.
Credential Stuffing
Attackers take username and password combinations leaked from one breach and try them on other services. Because people reuse passwords, this works alarmingly often. Over 15 billion stolen credentials circulate on the dark web.
Phishing
Fake emails, websites, or text messages trick you into entering your password on a look-alike login page controlled by the attacker. Phishing is the most common initial attack vector in data breaches.
Keylogging
Malware installed on your device records every keystroke, capturing passwords as you type them. Keyloggers can be delivered through malicious email attachments, compromised websites, or infected USB drives.
Dictionary Attack
Automated tools try common words, phrases, and known passwords from previous breaches. "Password123," "qwerty," and "iloveyou" are among the first combinations tried. These attacks succeed against any password based on dictionary words.
Social Engineering
Attackers research your social media, public records, and online presence to guess passwords based on personal information: pet names, birthdays, anniversaries, favorite teams, or children's names.
Best Practices
Password rules that actually work
Forget the outdated advice about changing passwords every 90 days and requiring special characters. Modern guidance from NIST focuses on what truly makes passwords secure.
- Use a minimum of 16 characters. Length is the single most important factor in password strength.
- Never reuse passwords across different accounts. Every account must have a unique password.
- Avoid dictionary words, names, dates, or any personally identifiable information.
- Use a passphrase of 4 or more random, unrelated words (e.g., "correct horse battery staple") if you need to memorize it.
- Do not use predictable substitutions like @ for a, 3 for e, or 0 for o. Attackers know these patterns.
- Change passwords immediately if you learn of a breach affecting a service you use.
- Never share passwords via email, text message, or chat. Use a password manager sharing feature instead.
- Enable account lockout or rate limiting where available to slow brute force attempts.
Multi-Factor Authentication
What is MFA and why does it matter?
Multi-factor authentication requires two or more verification methods to prove your identity. Even if your password is stolen, MFA blocks 99.9% of automated attacks according to Microsoft research.
Authenticator Apps
Apps like Microsoft Authenticator, Google Authenticator, or Authy generate time-based one-time codes (TOTP) that change every 30 seconds. You enter the current code after your password to verify your identity.
Codes are generated locally on your device and never transmitted, making them resistant to interception. Even if an attacker steals your password, they cannot log in without physical access to your phone.
Hardware Security Keys
Physical devices like YubiKey or Google Titan that plug into USB or tap via NFC. They use the FIDO2/WebAuthn protocol and are completely phishing-resistant because they verify the legitimate website domain cryptographically.
Hardware keys cannot be phished because they only respond to the legitimate website. Google reported zero successful phishing attacks against employees after mandating security keys. Recommended for high-value accounts.
SMS Text Codes
A one-time code is sent to your phone via text message. While better than no MFA, SMS codes can be intercepted through SIM swapping attacks where criminals convince your carrier to transfer your phone number.
The NIST (National Institute of Standards and Technology) has deprecated SMS as an authentication factor due to known vulnerabilities. Use authenticator apps or hardware keys instead when possible.
Biometric Authentication
Fingerprint, face recognition, or iris scans verify your identity using unique physical characteristics. Often used as a convenient way to unlock authenticator apps or hardware keys rather than as a standalone factor.
Biometrics are convenient and difficult to forge, but cannot be changed if compromised. Best used in combination with other factors. Modern implementations store biometric data locally on the device, not in the cloud.
Essential Tool
Why you need a password manager
The average person has over 100 online accounts. A password manager is the only practical way to use a unique, strong password for every single one.
Unique password per account
Without a Password Manager
Impossible to remember hundreds of unique passwords, leading to dangerous reuse
With a Password Manager
Automatically generates and stores unique 20+ character passwords for every account
Password strength
Without a Password Manager
Humans tend to create weak, predictable passwords based on words and patterns
With a Password Manager
Generates truly random passwords using all character types at any length
Phishing protection
Without a Password Manager
You might type your password into a fake website without realizing it
With a Password Manager
Auto-fill only works on the correct domain, refusing to fill on phishing sites
Breach monitoring
Without a Password Manager
You may never know if your password was leaked until your account is compromised
With a Password Manager
Alerts you immediately when any stored password appears in a known data breach
Secure sharing
Without a Password Manager
Passwords shared via email, sticky notes, or spreadsheets are easily intercepted
With a Password Manager
Encrypted sharing with access controls, audit logs, and the ability to revoke access
Step by Step
How to set up multi-factor authentication
Prioritize Your Accounts
Start with your most critical accounts: email, banking, and cloud storage. Your email account is the highest priority because password resets for other services go to your inbox. If an attacker controls your email, they can reset passwords to everything else.
Install an Authenticator App
Download Microsoft Authenticator, Google Authenticator, or Authy on your smartphone. Authy offers cloud backup of your TOTP seeds, which is convenient but slightly less secure. Microsoft and Google Authenticator keep seeds local to the device.
Enable MFA in Account Settings
Log into each service, navigate to security or account settings, and look for "Two-factor authentication," "Two-step verification," or "Multi-factor authentication." Choose the authenticator app option when available rather than SMS.
Scan the QR Code
The service will display a QR code. Open your authenticator app, tap "Add account" or the "+" button, and scan the QR code. The app will immediately begin generating 6-digit codes that refresh every 30 seconds.
Save Recovery Codes
Most services provide one-time recovery codes in case you lose access to your authenticator app. Print these codes and store them in a secure physical location (safe or lockbox). Do not save them in a digital file on your computer.
Test Before Logging Out
Before completing setup, test the MFA process by logging out and logging back in. Verify that the authenticator code works and that you can access your recovery codes. Confirm on all devices you use to access the account.
Secure your accounts today
We help businesses deploy password managers, enforce MFA across all systems, and train teams on credential security. Let us harden your authentication.
Schedule Free Consultation