7 essential password rules to follow in 2024, according to security experts

lock with light emanating from it

Yuichiro Chino/Getty Images

Looking for advice on how to protect your home and office from cyberattacks? A good place to start is with the people who do this stuff every day on behalf of the United States government.

The folks at the National Institute of Standards and Technology (NIST) have created a simple Cybersecurity Basics page that boils down the technical information in its four-volume Digital Identity Guidelines to a set of crisp guidelines for small business owners and managers. 

Also: Why you should power off your phone at least once a week – according to the NSA

(For those who are willing to dive into the full report, you’ll find some good advice for IT pros and service providers in the “Passwords” section of Appendix A. This content will be especially helpful if you are trying to convince your IT department to stop forcing regular password changes.)

For a simpler, more practical collection of guidelines, try the Secure Our World website, run by the Cybersecurity & Infrastructure Security Agency (CISA). It’s targeted at an audience of consumers without a technical background, which makes it a solid source of information you can share with friends and family to help them deal with common threats.

Also: Stop paying for antivirus software. Here’s why you don’t need it

I’ve gone through the latest versions of all these documents and compiled a list of seven rules to follow when it comes to passwords.

1. Make sure all your passwords are strong enough

What makes a password strong?

  • It’s long enough — a minimum of 15 characters, using the latest NIST guidelines, with 64 characters as a reasonable maximum password length.
  • It’s random, with a mix of upper- and lower-case letters, numbers, and symbols that are not found in a dictionary and don’t include any part of your name or the name of the service they unlock.
  • It’s not easy to guess.

Of all those factors, experts agree that length is the most important. In fact, the experts at NIST say that recent analyses of breached password databases show that having a longer password is far more important than trying to make it complex.

Also: How to create a passkey for your Google account

Passphrases made up of three or more unrelated words separated by symbols and numbers can be effective as well.

2. Use a password manager

The average person has dozens of passwords. If you have an active online life, you might have hundreds of credentials. No human can memorize even a handful of long, random, unique passwords. Nor should they have to! Install a password manager on every device and let it handle the work of creating long, unique, impossible-to-guess passwords and saving them in a secure, encrypted enclave.

Also: The best password managers of 2024: Expert tested

Technically, a pen-and-paper notebook can do part of that job, albeit with a lot more friction. A software-based password manager, however, does so much more: it instantly creates truly random passwords, saves your credentials in an encrypted database, and syncs everything across multiple devices.

The most important layer of protection, though, is one that isn’t immediately obvious. Your password manager knows which domains are associated with a saved set of credentials and won’t enter a password on a domain that isn’t authorized. So if a skilled attacker crafts a phishing email that fools you into thinking it’s from your bank or broker, and you click a link that goes to a fake domain, the password manager will refuse to enter your credentials.

That one step will force you to stop and look more carefully at the message, which is the single most imprtant anti-phishing step of all.

3. Never reuse a password

It’s a natural human instinct to have a favorite set of credentials (username and password) that you reuse on multiple sites. Yes, that makes things easier to remember, but it also ensures that a data breach at one site will give attackers access to that set of credentials, which they will in turn try on other sites that weren’t affected by the breach.

Also: Have a Windows 10 PC that can’t be upgraded? You have 5 options before support ends next year

A good password manager should flag reused passwords and offer to create strong, unique replacements.

Please note: Simply tacking an exclamation point or a number on the end of your old password doesn’t qualify as creating a new password. Neither does creating a new variation of one of your commonly used passwords.

4. Avoid password hints

The whole idea of a password hint is that it’s made up of some word or name or date that is meaningful to you. By definition, that kind of password is easy to guess, and adding a password hint makes the job even easier for someone who wants to break into your accounts. 

Also: Have a Windows problem that you just can’t fix? Try this ultimate troubleshooting trick

The experts at NIST are adamant in their advice: People who manage secure online services absolutely should not use knowledge-based authentication hints, (e.g., “What was the name of your first pet?”) or security questions.

The best password hint is four words: “Check your password manager.”

5. Change default passwords

One of the most insidious ways for attackers to break into a home or business network is to go through a device on that network, using vulnerabilities in its management interface. That could be your Wi-Fi router, for example, with its default password that’s often just password. IP-based cameras and doorbells you install as part of a home security system are also possible entry points.

If you have any of those devices on your network, replace those default passwords with more robust credentials.

6. Use multi-factor authentication whenever possible

No matter how strong you make your passwords and how carefully you try to protect them from being compromised, stuff happens. (That isn’t exactly how the expression goes, but it’s close enough.)

Also: What are passkeys? Experience the life-changing magic of going passwordless

The most effective protection, by far, is to ensure that no one can sign in to your accounts on a new device unless they can provide a second form of identification, ideally using an authenticator app on a device you own. (Codes sent to your phone using SMS are an acceptable option, but are at greater risk of being taken over by a determined attacker.)

You don’t have to 2FA all the things, but you should insist on a second factor for high-value services such as email and messaging, social media, bank accounts, and brokers.

7. Don’t change your passwords unless you have to

Experts agree that changing passwords regularly isn’t necessary. In fact, organizations that require users to change their password for no reason are actually making their networks less secure.

Why? Because people who are forced to change passwords regularly are likely to choose weak, easy-to-guess passwords. If you’ve done a solid job of choosing a strong and unique password, there’s no need to change it under normal circumstances.

Also: Still have a Windows 10 PC? You have 5 options before support ends next year

So, when should you change your password?

Obviously, you should replace a password if it’s unacceptably weak or if it’s a duplicate of one you use elsewhere. You should also change any password at the first hint that it’s been compromised due to a data breach.

That said, if your IT department or an online service insists on forcing a password change, you should do as they say. Just let your password manager create the longest, strongest password that meets their demands.

This article was originally published on July 24, 2024, and last updated on October 25, 2024. 

READ MORE HERE