When we think about passwords, we should treat them as the keys to our digital house, office, car, bike, mailbox, or garage. We wouldn’t want such important parts of our lives to be publicly accessible — or worse, exposed to malicious individuals or groups.
This month, we’re focusing on passwords: how to improve them and how to prevent your digital spaces and services from being compromised.

The Core Rules of Creating a Strong Password

Use passphrases or very long and complex passwords to increase the security of your accounts. The longer the password, the more time it takes to break it using different methods — each added character increases the time significantly.

Passphrases help here: a series of random words or a memorable sentence that boosts the character count. The recommended minimum password length is 12 characters, the optimal is 16, and anything over 20 provides solid protection.

Do not use the same password across multiple services. Ideally, one password should be used for one service only. If one of your passwords is lost or accessed without authorization, attackers could gain access to all your other accounts. Reusing a password is a common attack vector, and the dark web is full of password bundles being sold — meaning that a leak of a private password can quickly lead to attacks on business accounts as well.

Always change default passwords when you first access an account, especially if the assigned password is something like “admin”, “password”, or “12345”.

When creating passwords, use all four available character types: lowercase letters, uppercase letters, numbers, and special characters. A useful tactic is to replace letters with numbers (e.g., O → 0 or A → 4) and letters with special characters (e.g., I → ! or S → $).

When creating a password, try to avoid using information that can be linked to you. Don’t use the name of your dog or cat, your hometown, your elementary or high school, your university, your parents’ names, siblings’ names, or children’s names. Birthdates, anniversaries, and similar personal numbers should also be avoided.

Where possible, use SSO (Single Sign-On). Just like a Password Manager reduces the number of passwords you need to remember, SSO also reduces the number of passwords you have to memorize and regularly change.

Protect Your Passwords

Use a Password Manager to simplify password management, increase security and complexity, and help you follow all the recommended practices. On average, a modern user has over 100 passwords — and someone working in IT can easily have more than 300! It’s much easier to remember one complex Master Password than 300 individual ones.

Do not write passwords on sticky notes, notebooks, or any physical form of storage. Do not send passwords via chat or email. If you must send a password, send it separately from the username, using another communication channel. In general, very few services will ever ask you to share your password with them, so these situations should be extremely rare.

When setting security questions, treat them with the same level of care as your passwords. Do not use information that can be linked to you — just like with your passwords.

Use MFA Everywhere

Most services today offer — and some even require — Multi-Factor Authentication (MFA). Use MFA wherever it’s available. MFA adds another layer of security, and it’s crucial to use it properly and responsibly. If your password is compromised, MFA is the mechanism that prevents attackers from taking full control of your account.

Use the strongest MFA method available. Biometrics are stronger than app-generated OTP codes, and OTP codes are stronger than SMS authentication.

The Future: Moving From Passwords to Passkeys

The ideal path forward is moving from passwords to Passkeys, which represent the future of this type of protection. Passkeys are resistant to phishing, cannot be guessed, reused, or stolen, and cannot be cracked. They also provide a much simpler login process and include biometric factors.

Currently, many services still don’t support Passkeys, but adoption is increasing, especially because giants like Google and Apple are implementing Passkeys as the next step in securing their services.

If you found this article helpful, you may also benefit from our guide on Phishing Awareness: How to Spot and Prevent Attacks. Strengthening your security knowledge is an ongoing process, and this additional resource can help you further protect your organization from emerging threats.