World Password Day 2022

Today is World Password Day!

It's a reminder that all your passwords (except for a few exceptions like device passwords/PINs) should be strong: random, long (a minimum of ~15 characters but why not choose 30), and unique (i.e. no password ever used for more than a one account). This may sound hard to do but it's easy with a password manager (e.g., BitWarden, 1Password, LastPass).

To go along with strong passwords you should enable two-factor authentication (2FA) on all your accounts that support it. For most users the TOTP type of 2FA (e.g., Authy, Google Authenticator) is a good balance of security and usability; use the SMS type of 2FA only if there is no other type available.

If you do nothing else, make sure your primary email account follows the above guidelines: if an attacker can take over that account, they can take over most of your other accounts by doing a password reset on them.

For larger organizations, Single Sign-On (SSO) is a nice way to get rid of most passwords for users.