Here are some suggestions, rules, and tools:
1. Don’t use the same password for more than one login. If one of those sites has a breach, someone now has your email (or user name) and password. You can be sure they will try it on other sites!
2. Make passwords long and complex. Use numbers, capital and small letters, and symbols (if the site allows).
3. Do not, do not, do not, do not keep a list of your passwords on a post-it note on your computer. While a piece of paper in a file might have some degree of security and practicality there are better ways to do this. On Apple products, you can create a password protected note, which is better than having a slip in your wallet – but there are better methods.
4. I recommend everyone use a password manager. I use 1Password, but there are many others. Apple offers Keychain built into the Apple ecosystem. The main benefit of a password manager is that it stores all your passwords securely and you don’t have to remember all of them. All you have to remember is how to get into the manager (thus the one I use is called 1Password because I only have to remember the password that lets me into my password manager). I STRONGLY suggest looking at a dedicated password manager that is not a locked note, Keychain, or the password saver built into your web browser.
5. Another benefit of a password manager is that it can autofill your usernames and passwords when you go to a website. It will also remember your password when you use it on a new website (and even offer to create a strong and complex password for you).
6. A side benefit of this is that, if my password manager does NOT offer me my password on a website that LOOKS LIKE it is my bank, for instances, it is a warning that I might be on a fake website and about to give away my username and password to a hacker! If my password manager doesn’t recognize the website, I need to find out why.
7. Consider trying passkeys instead of passwords. Passkeys are when you use another device instead of a password. You might use your fingerprint or other biometrics. A website might ping your phone, watch, or other device. You can even purchase an actual digital key that plugs into your computer and lets websites know that it is really you!
8. Many websites now use one-time password codes instead of passwords. You log in with your email and they send you a code. This is great – as long as you have control over the means of getting that code. If a hacker gets control of your email or phone number, you will be unable to receive these one-time password codes.
9. For this reason (and others), it is critical that you use secure passwords with your high-priority assets: your email account, financial institutions, any website where you have stored a credit card (Amazon), social media accounts (Facebook, Instagram, TikTok, etc), and of course, work-related websites. All of these should be protected with long, complex, and unique passwords – so long and complex that you could never ever remember them. Thus, storing them using a secure password manager would be a good idea (there is a theme here – get it?).
10. Always, always, always take advantage of two-part authentication when it is available. This is when you get a code sent via text or email or through an authenticator app when you log on to a site for the first time on a new device or browser. This is not foolproof. If someone has your phone, they might be able to use this to reset a password. However, if you receive a message with a code when you haven’t logged in to that website, you know someone else is trying to.
The scammers are getting more and more clever and devious, as I have written about before. We have to help each other stay safe and protected! While a warning that you have a compromised password may or may not be true, we all could improve our password security. Be safe out there!