Set strong passwords
We suggest the following best practices for setting strong passwords.
- Use a password with a mix of letters (both lower- and upper-case), numbers, and symbols. And a longer password is better (at least 12-14 characters).
Using numbers, symbols and mixed-case letters in your password increases the difficulty of guessing or cracking your password. For example, there are more than 6 quadrillion possible variations for an eight-character password with numbers, symbols, and mixed-case letters—30,000 times more variations than an eight-character password with only lowercase letters.
- Avoid passwords with simple words or any variation of your username or personal information that may be public (e.g., your name, your birth date, social security number, etc.).
- Avoid passwords with easily guessed “likes” or “dislikes” (e.g., RedSox, hunting4deer, etc).
- Consider using a different password for each account you log into (e.g., one per company or domain).
- Change your passwords if you suspect they have been compromised in any way.
- Do not share your password with anyone.
- If you store passwords on a mobile device such as your phone, make sure your phone can be locked behind a PIN or master password.
Store passwords securely
All modern web browsers offer you the option to store a password in their password databases after you log into a website. While this is highly convenient, it could mean that anyone that has access to your computer or mobile device can log into websites without you present.
We recommend that before you save any passwords in a web browser, you first set a master password that will be required before the browser will be able to retrieve any stored passwords.
If you store your passwords in your web browser without using a master password—some browsers do not have this feature—please make certain your computer or mobile device is set to lock itself when you are away (either with a password-protected screen saver or a PIN code).
And of course, never save a password on a computer you do not own or manage.
Use password management software
To be able to follow all of these best practices—especially when using a different password for each domain—we recommend the use of a password manager (or password vault) to store your passwords. Password managers will store your passwords in a central place behind a single, master password, and can be either part of your web browser or a separate service or software package.
When you need the password, you retrieve it from the manager tool; otherwise, the password remains locked away. Other common features of a password manager:
- A random password generator can create passwords as complex as you prefer.
- Cloud storage means you can access your password vault from multiple devices, as long as you remember your master password.
- Automated log-in integrated with your browser will allow your password manager to handle the log-in process for you, keeping the entire process protected at all times.
Use multi-factor authentication
If you only use a password to authenticate, it leaves an insecure vector for attack. If your password is weak or has been exposed elsewhere, the system cannot know if it is really you signing in or if it is an attacker. Multi-factor authentication (MFA) helps protect your account by adding additional verification methods that are not easy for an attacker to obtain or duplicate.