One of the most important ways to ensure that your online interactions are safe and secure is to create, use, and protect strong passwords. Good news, the process is under your control. The checklist below will help you create and use good passwords while keeping them out of the wrong hands.

Creating strong passwords

Password security starts with creating a strong password. A strong password:

  • Has at least 12 characters in it but 14 or more is better.
  • Is a combination of uppercase letters, lowercase letters, numbers, and symbols.
  • Is not a word that can be found in a dictionary.
  • Is not the name of a person or a popular entity such as a character, product, or organization.
  • Is significantly different from your previous passwords
  • Is easy for you to remember, but difficult for others to guess.
  • Can be, and you might consider using, a memorable phrase like "6KittensPlaying^" or “WeHadaBaby&itsAB0y!!”

For more information on strong password generation, here’s a good article on the subject - How to create a strong password.  If you would like to check the strength of a password, here is a free online password strength tester.

Secure your passwords

Once you’ve created a strong password, you should follow these guidelines to keep it secure:

  • Don’t share a password with anyone including friends or family members.
  • Never send a password by email, instant message, or any other means of communication that is not reliably secure.
  • Use a unique password for each website. If someone were to get hold of a password that you use on multiple websites, all the information that password protects on ALL OF THESE SITES is at risk.
  • If you do not want to memorize multiple passwords, consider using a password manager. The best password managers will automatically update stored passwords, keep them encrypted, and require multi-factor authentication for access.
  • Do not store a password on the device it is designed to protect.
  • It is acceptable to write your passwords down provided you keep them secure. Don't write them on sticky notes or cards that you keep near the device the password protects. Even if you think they are well-hidden they could be discovered – If your cat can find them, so can your foes.

Here’s a thought, rather than writing down your password, consider writing down a hint that reminds you of what the password is. For example, if your password is "Paris4SpringVacation!" you could write down "Your favorite trip."

  • Whenever possible, change passwords immediately on accounts you suspect may have been compromised. Do this even if you just think the password has been compromised.
  • Avoid entering your password on any device if you are unsure of that device’s security. Shared devices or those available for public use could easily  have keylogging software installed that could capture your password as you type it. You should also avoid allowing your password to be saved on shared or public computers.
  • Enable multi-factor authentication (MFA) whenever available. MFA is a method of access control that requires more than one credential for verification—such as requiring both a password and a pin. This adds another layer of security in case someone guesses or steals your password.

Tip: If you are asked to create answers to security questions, provide an unrelated answer. For example, if the question is "Where were you born?" you might answer "Green." Answers like these cannot be found by trolling Twitter or Facebook. (Just be sure they make sense to you, so you will remember them.)

Don’t be tricked into revealing your passwords

Criminals WILL try to break your passwords, but it is often easier for them to exploit human nature and trick you into revealing it.

You might receive an email message pretending to be from an online store (like eBay or Amazon) or a phone call from your “bank” that tries to convince you of the “legitimate” need for your password or other sensitive information. It could be a phishing scam. (You may have heard these con games referred to as social engineering.)

Here are some guidelines to follow to protect your passwords and other sensitive information:

  • In general, be wary of anyone who is requesting sensitive information from you, even if it appears to be someone you know or a company you trust. For example, a crook may have hijacked a friend’s account and sent email to everyone in his/her address book. Treat all unsolicited requests for sensitive information with caution.
  • Never share your password in response to an email or phone request—for example, to verify your identity—even if it appears to be from a trusted company or person.  Paypal, Amazon, and Ebay are commonly used for these, as are many banks like Citibank.
  • Always access websites using trusted links. Scammers commonly copy the look of a company’s communications to fool you into clicking a malicious link or attachment, use great caution with links that appear in unsolicited emails, instant messages, or SMS messages. If in doubt, go directly to the official website of the bank or other service you’re trying to access using your own bookmark or by typing the legitimate address of the service yourself.

Multi-Factor Authentication

I made several references to this; it merits an article all to itself, keep an eye on this space…

Please see Microsoft Support article "Create and use strong passwords" for more information.