Many arbitrary holidays exist (Tin Can Day, anyone?) but World Password Day is one that the PCWorld Staff fully supports. We’re all for ditching weak passwords—especially when shoring up your security takes only a little effort.
Follow these four easy suggestions and you’ll thank yourself for years to come. Not only will data breaches and hackers stop being immediate threats, but you won’t have to scramble to remember a collection of user name and passwords. Plus, a new form of account protection is starting to roll out, and it’s even simpler than passwords.
And trust us, you want to safeguard yourself. Data breaches are common these days, and if Bitwarden’s latest survey results are any indication, an unhealthy majority of people reuse passwords (85 percent among their respondents) and a notable amount still use a variant of “password” (19 percent). Oof.
Get a password manager
Password managers make better account security so easy. You only have to memorize only one strong password to safeguard all your other login info. (Here’s how to come up with a good master password.)
You shouldn’t have an issue finding a password manager that suits you, either—it’s perfectly normal to have reservations about them, but there are so many options out there. Want something that integrates seamlessly with your phone or browser? Google, Apple, and Firefox’s password managers are basic but solid. Hate the idea of all your passwords sitting in the cloud? Try KeePass or one of its variants. Need support for advanced two-factor authentication methods, like a YubiKey? Many paid services include it. Password managers are also expanding their services to include support for passkeys, a simpler yet more secure method of account protection.
Paying for a good solution isn’t always necessary, however, as you’ll see when going over our lists of the best paid password managers and the best free password managers. The kinds of features that unlock when paying for services are helpful indeed, especially if you’re using multiple devices or want to secure the passwords of multiple people, but they don’t tend to be absolutely vital otherwise. That said, our go-to solution—Dashlane—makes managing passwords dead simple and only costs $33 per year, or $2.75 per month. It’s money well spent for the added security (and the extra polish).
And don’t worry if you try one service and don’t like it. Exporting and importing password databases is simple.
Use strong, unique passwords for everything
Companies like Terahash can combine several hundred GPUs to crack short passwords instantly. This chart shows how longer passwords can make the process impossibly long, even with such computing power on hand.
Terahash / Twitter
Even websites that barely register in your memory deserve a strong, unique password. If you’ve left behind traces of personal information—or financial information, like stored credit card info—unauthorized access to your account could lead to future headaches.
Normally, remembering a strong, random, and unique password for every place you visit on the internet would be a pain in the rear. These days, it seems like everything requires a login. But with a password manager (which of course you’ve just set up!), you no longer have that responsibility. So long as you have the browser extension or app installed on your phone, you can let it choose a password for you. Just tell it how many characters in length and what mix of them. (Security experts currently recommend 24 characters in length, randomly generated with numbers, letters, and special characters.) The fun part is that because you don’t have to memorize each password yourself, long and complex strings aren’t a hassle.
If you want to really level up your login security, you can also use strong, unique user names, too. With a password manager tracking everything, being randominternetuser13960 on one site, ithurtstomove4582 on another, and pizzadaze2259 on a third is a cinch. Have to use an email address for your login? Gmail and some other email providers let you create aliases by adding a plus sign (+) and phrase after your account name. So for example, you could use emailaddress+likesbooks@gmail.com to distinguish that particular site.
Enable two-factor authentication, too
Apple
We hate to say it, but these days, strong passwords alone aren’t enough to ward off threats. Data breaches happen, and so do moments of being caught off-guard by phishing attempts.
Two-factor authentication adds another layer to your login process. Instead of having immediate access to your account upon entering your user name and password, you’ll have to input more information and pass another security check before access is granted. (You can read more about how 2FA works in our explainer, which also gives more details on the common forms available.)
Like using a password manager, two-factor authentication doesn’t have to be a cumbersome addition to your login process. Apps like Authy, Aegis, and Ravio make accessing your 2FA codes on multiple devices simple, and support easy security measures like biometric authentication to protect those codes from prying eyes.
We of course recommend enabling two-factor authentication on as many accounts as possible, but at minimum, do it for major accounts like email and financial services—places with info that could wreak havoc on your life if someone else got unauthorized access. Also consider protecting your Amazon, social media, Steam, and work accounts (and their info ripe for use in social engineering) in this way, too.
For sites that don’t have two-factor authentication—which sadly includes a large number of e-commerce sites—you can help limit damage from unauthorized account access by not leaving your credit card information or address on file.
Use a passkey
This may be a bit novel for most people to use just yet, but there’s new form of account authentication is here and finally spreading out into the vast wild. They’re called passkeys, and they cut out a lot of the hassle of using passwords…while also providing strong security out the gate.
You just need a device like a phone or a tablet to serve as an authenticator. It’ll be registered to your account when you generate the passkey. Afterward, you’ll get prompts on the device to authorize logins, which you’ll approve using face identification, a fingerprint, or a PIN. It’s incredibly simple, and more importantly, passkeys are more resistant to the current effects of data breaches. Because they are an asymmetrical form of encryption, a hacker can’t guess at your passkey based on the compromised website’s encrypted login data. Only you have the other part of the puzzle, and it’s a different kind of piece than the part saved to your website account.
You can read more about passkeys in our coverage of Google’s recent launch of passkey support for its accounts (as well as in Google’s own excellent overview of the topic), but basically, this is the future of online security. It eliminates the hassles of passwords, along with the pressing need for two-factor authentication, and should make protecting your accounts much easier. Especially since password managers will soon start allowing you to save your passkeys to a vault, making them as flexible and accessible as passwords.
There’s more you can do, of course—and it’s also easy
All set up with your password manager and two-factor authentication, and feeling primed to go even further? Learning more of the ins and outs of your password manager will help integrate it into your life even more seamlessly. Installing your service’s companion smartphone app and browser extension is just a starting point—check out our guide on how to make most of your password manager for more tips. You can also have a look at our story about 5 easy tasks that supercharge your security. If you’ve followed this article’s advice, you’re already more than halfway there!
