I'm a giant fan of this topic not just today but every day. In the security world, we love to complicate things and shout at other security people about complex technical issues, leaving those in the general public confused about what steps to take. But password security is the #1 area the average person (and even most organizations to a degree) can focus on to make themselves more secure.
Historically, a valid username and password is all that was needed to login into a system, website, or service. This presents a security challenge because it is just one factor (something you know) and anyone who can guess or find your password in a breach dump will be able to login, too. Multi-factor authentication (MFA) adds an additional requirement - generally something you have - in addition to knowledge of a valid username and password. Most often this means a notification or code pushed to your phone via an app or text message. Many services and vendors are at least starting to offer the ability to enable MFA but it is not often enabled by default.
This is probably the most important bang-for-your-buck step someone can take and the one I suggest to the general public most often. It stops the most common password attacks - such as the Ring camera "hack" this past December - dead in their tracks. While they garnered their fair share of negative press as a result, the bad guys actually obtained access to Ring accounts by using credentials for other services which were leaked and readily available on the internet. Because email addresses and passwords were reused for Ring accounts which were not secured with MFA, attackers could simply reuse these breached credentials to obtain access (more on this in a bit). Ring has since enabled and requires MFA in order to log into accounts.
A password manager is an app which stores your passwords for your various accounts and centralizes them. This might seem crazy on the surface, but it offers a few key benefits:
There are many choices when it comes to password managers such as LastPass, 1Password, DashLane, and Apple even has one built into all iOS devices. Which one you choose matters less than just making sure you use one. If you don't, you more than likely have some room for improvement in one of the next two areas.
The conventional password guidance over the last thirty years has been to use at least eight characters, include at least one uppercase, lowercase, number, and symbol character, and to change passwords every 90 days . In other words, the focus has been on complexity (including different kinds of characters) and changing faster than attackers can crack your password (at least faster than the Soviets could in the 80s). These requirements have caused people to choose short words that they remember - like their dog's name, or the season - and then add numbers, symbols, or the current year until complexity requirements are met, resulting in something like Scooby#2, which is an easy password to guess even if an attacker has to brute force all possibilities.
Instead, emphasizing length is a better approach. For example, the password "my dog scooby is an awesome dog who i love very much" - although it doesn't meet any of the aforementioned complexity requirements, it’s a more secure password than Scooby#2 and is easier to remember.
NIST, which is responsible for a lot of this guidance, recently shed the outdated requirements and updated their standards, but most of the world has not caught up.
Again, it is better to use a password manager and set a long, random password you do not know at all, but when you cannot, use longer passwords.
Perhaps the biggest issue with passwords in both corporate environments and across the general public is that people tend to reuse the same password everywhere. This is a problem for multiple reasons:
It might seem hard to use a unique password for each login, but it is a critical step to securing your accounts and is made easier by following the guidance above to use a password manager.
In corporate environments, the answer can depend on the type of data, user, and environment associated with the login, but is more clear cut for the average person: you don't have to change your passwords very often unless there is a reason to. Although people may have become used to 30, 60, or 90 day password reset requirements, that guidance resulted in people creating terrible passwords such as Spring2020, one of the most common passwords we find in environments all of the time, in order to change their passwords while still being able to remember it.
Instead, the average person should set a great password - long, random, and unique - from the start and not change very often unless it has been breached, forgotten, or there is a credible threat - such as accidentally responding to a phishing email.
Happy National Password Day!