Common Guidance on Passwords

Protecting Your Accounts and Devices

Common Guidance on Passwords

We believe that using stronger authentication is one of the most effective and inexpensive steps that can be taken to secure organizations and people online. On World More Than A Password Day, November 10, 2023, we issued the first Common Guidance on Passwords. On World More Than A Password Day, November 12, 2024, together we issue this updated version specifying simple steps that anyone can take to be more secure:

Steps to Take Now 

  1. Use password-free authentication

Use password-free (passwordless) authentication, such as passkeys (sometimes other terms are used), when you can. Passkeys are easier to use and more secure than passwords. They use cryptography to verify your identity online, with a secret key stored on your device that is never shared. The most popular operating systems, browsers, and email services support passkeys – just search for “passkey” and the name of your operating system, browser, or site/service.

  1. Secure your email account

If using password authentication for your email accounts, use a very strong password (long, randomly generated, and unique (Use Strong Passwords | CISA) and multifactor authentication/two-step verification (see the next step below). Email is the most common form of resetting your password, and you want to make sure no one else can “reset” your passwords and get access to your accounts.

  1. Add an extra layer of security above using passwords alone

Using a hardware security key or token, an authenticator app or a PIN provided by SMS messaging as a “second factor” in addition to your password can help prevent phishing and other attacks. This process can be called multifactor authentication (MFA), two-factor authentication (2FA), or two-step verification. The better form of additional security is to use a hardware token or an authenticator app on your phone, and not to rely on SMS messages for the second factor.

  1. Use a password manager

If you have accounts that only use passwords, consider using a password manager so you won’t need to memorize dozens of passwords. Using a password manager means you can use strong, randomly generated passwords that are much harder to guess. Software password managers, browsers that manage your passwords, and operating systems can all do a good job. Of course, the password for your password manager must be both strong and memorable (see the next step to pick a good password), and you must respond quickly to change all your passwords if your password manager service is compromised. More detailed guidance on password managers is available, for example, from the UK  Password managers: using browsers and apps to safely store your passwords, and Canada Password managers: Security tips (ITSAP.30.025).

  1. Use a recommended technique to pick passwords

If you are picking your own passwords rather than having your computer or password manager generate them, you can use a passphrase (Best practices for passphrases and passwords (ITSAP.30.032)) or a technique like the UK NCSC’s “Three Random Words” to pick passwords that are easier to remember but hard to guess (Three random words – NCSC.GOV.UK). 

If You are “Hacked”

  1. Changing passwords

Your passwords should be changed immediately if one of your devices is compromised (for example, a hacker installs malware on your computer). If an online site or service you use (an email service, a website, etc.) is hacked, change your password for that site or service and anywhere else you have reused that password (and you really should not reuse passwords). Subscribing to https://haveibeenpwned.com/ is a good way to find out if any of your passwords need updating. Finally, it’s best to change passwords using a device that hasn’t been compromised.

Note for providers: Require or support strong authentication rather than requiring that passwords be periodically changed. You may find this guidance helpful: Multi-factor authentication for your corporate online services.

Signatories

For issues, please reach out to info@nonprofitcyber.org.

To join or renew, please fill out this form

License

The textual content of “Protecting Your Accounts and Devices: Common Guidance on Passwords” is released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license. This license allows anyone to reuse textual content in any way they choose. Reuse includes charging money for access to the content, distributing it wherever and however they like, and modifying it however they see fit. If you alter CC BY-SA 4.0 content, you must also release your derivative work under the CC BY-SA 4.0 license.

Any use of this CC BY-SA 4.0 content must provide credit to “Nonprofit Cyber – Protecting Your Accounts and Devices: Common Guidance on Passwords.”