October is National Cybersecurity Awareness Month. It is the time of year when we remind everyone how important it is to be safe online and when using the Internet. Every year, the bad guys get more sophisticated, and it’s important to refresh ourselves on best practices for keeping our online actions safe and secure.

Passwords are one of the most important components of your online protection arsenal. Nearly every resource you use online has a password requirement. Bad guys have developed many ways to guess passwords. And sometimes they do not even have to guess because they have valid username and password combinations they’ve collected through data breaches. Therefore, it’s critical that you use good password hygiene to keep your information safe online.

Do not reuse passwords

Password reuse is a common practice. Especially when you start adding in the next steps to make your passwords more complex and longer. How is a normal person supposed to keep it all straight? More on this down below.

Reusing passwords puts your accounts at risk. What happens is the bad guys get large lists of usernames or email addresses and password combinations. They can then feed these combinations into login forms at high speeds until one of them works. They work on the assumption that people reuse passwords.

You can check to see if your information has been exposed in a data breach at the website Have I Been Pwned. (Pwned is hacker speak for “owned,” meaning compromised.) This is a trustworthy website run by Troy Hunt, a respected security researcher. As of this article, this website is tracking over 15 billion compromised credentials from data breaches.

Use long, complex passwords

You should not use dictionary words as your password. Just like the above established username and password combinations, the bad guys also have lists of the most common passwords, as well as plain old dictionary lists. With the high speed of computers and Internet connections, a brute force dictionary attack could take under an hour.

By adding in numbers and symbols, you increase the range of available characters to be tried in a dictionary attack. And if you increase your password length, it can add days to the brute force attempt. Each additional character added to your password increases the complexity and, therefore, the amount of time needed by the bad guys.

Longer passwords are the best tool to ward off the bad guys. Think of it this way: if you have a single-letter password, it might take 26 guesses, at most, to guess your password. A two-letter password offers 26 times 26 or 676 guesses for all possible combinations. An eight-character password, using only letters, increases the possible permutations to over 200 billion. But according to the National Institute of Standards and Technology (NIST), modern computers can make 100 billion guests per second!

To that end, NIST recommends passwords be at least 15 characters long. While using a combination of upper and lowercase letters, numbers, and symbols (like dollar signs and punctuation) might make your password seem more complex, it’s actually the length of your password that makes it more secure. NIST estimates that with current technology, it would take over 500 years to run through all the passwords using just 15 lowercase letters.

Okay, but how am I supposed to remember these long, complex passwords?

The answer is you are not supposed to remember them. And you do not have to.

Use a password manager, sometimes called a password safe or a password vault. These are tools built into your mobile phone operating system or your web browser extensions that manage the passwords for you. These allow you to not even care what the password is for a particular website. Instead, you remember your master password for the password manager and let it do its magic for you. This allows you to have complex and lengthy passwords that are unique for each website.

Beyond passwords

In addition to keeping secure passwords, an additional layer of protection is multi-factor authentication, sometimes abbreviated as MFA or 2FA. Not all websites offer multifactor authentication, but when it’s available, you should turn it on.

Multifactor authentication can be handled in many different ways. Sometimes it is a code or temporary one time password (TOTP) that gets emailed or texted to your mobile device. Sometimes it is a separate application you install that provides the TOTP or you click a button to authorize your login. Multifactor authentication could also be a hardware device you use with your laptop or desktop to verify your identity.

In addition, an emerging authentication technology is passkeys. Passkeys are proposed as an easier and more secure authentication mechanism to usernames and passwords using the biometric unlocking mechanism built into your mobile device. Passkeys are a new technology that providers are just starting to roll out. The good news is that passkeys work with most password managers, so any transition should be relatively painless when it happens.

Browse safely 

For the most part, accessing your information online involves a password of some kind. As you have read, the bad guys have sophisticated means to guess passwords or use existing lists of actually valid passwords to try and get into your account.

Using long, complex, and unique passwords is the best way to keep yourself protected. Using a reputable password manager makes this process easier to manage. Be safe out there.