Enforce strong password guidelines
NIST, the National Institute of Standards and Technology, recommends the following guidelines if they work for your environment; long passphrases (15+ characters) over complex, short, and frequently changed ones are more secure. Use Dark Web monitoring to check against breached password lists, remove mandatory 90-day resets, drop character complexity requirements, and discontinue the use of security questions.
- Length & Complexity:Passwords should be a minimum of 15 characters, with up to 64 allowed, emphasizing long passphrases (e.g., “SingingLittleRedCorvette”).
- No Forced Expiration:Do not require regular password changes (e.g., every 90 days) unless there is evidence of compromise.
- Remove Complexity Rules: Do not force users to include special characters, numbers, or uppercase letters, as this leads to predictable patterns.
- Check Against Blocklists:Systems must check passwords against dictionaries of known compromised or easily guessed passwords (e.g., “Password123!”).
- No Security Questions:Eliminate knowledge-based authentication (KBA) like “What was your first pet?”.
- Encourage Password Managers & MFA:Use multifactor authentication (MFA) and password managers to generate and store long, unique passwords.
- Support Unicode:Systems should allow all printable ASCII and Unicode characters (including spaces) to increase entropy.
Some websites might not enforce the recommended guidelines as identified above; always follow the security requirements for each program you use and deploy the longest passwords possible knowing the longer the password, the harder it is to crack.
Enforce System Patching
A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes, and improving the usability or performance.
Keeping your systems up to date can keep attackers from using the vulnerabilities that have been identified in certain software. As soon as a patch is available it should be installed to prevent security issues or improve performance.
Almost all software today has patches or software releases to fix vulnerabilities that are found. To learn more about patching, see the Federal Trade Commission’s website Onguardonline.gov.
Use Encryption
Encryption is your digital “curtain” that keeps private information hidden from anyone who doesn’t have the “key” to see it. Whether you’re a casual browser or a business owner, encryption is the only way to ensure that your private messages, emails, and files stay private.
- In Transit: When you send an email or browse an HTTPS website, encryption scrambles the data so that hackers on public Wi-Fi or your Internet Service Provider (ISP) can’t “eavesdrop” on your passwords or credit card numbers.
- At Rest: If your laptop or phone is lost or stolen, full-disk encryption (like Windows BitLocker or Apple FileVault) makes your files unreadable to the thief.
Use Antivirus or Antimalware Software
Every system should have antivirus or antimalware software installed. This is like having a digital security system that guards your device against threats that evolve daily. Even if you are a careful browser, modern attacks often use “zero-day” exploits—vulnerabilities that developers haven’t yet patched.