I’m a security expert — here’s my top 3 tips for protecting your accounts on World Password Day

A person entering their password on a smartphone in a crowded location
(Image credit: Shutterstock)

Even though deep down you know better, sometimes there are just things we need to be reminded of every year to get us back on track. Unfortunately, good password hygiene is one of them despite the fact that we use passwords for dozens of online accounts each day.

For this reason, the first Thursday in May was designated as World Password Day by cybersecurity professionals back in 2013. However, credit for the idea behind the day actually goes to a security consultant named Mark Burnett who wrote the definitive guide to passwords almost two decades ago. 

In 2005’s Perfect Passwords, Burnett warned readers about all of the common password mistakes they were likely making such as using the names of family members or pets to make their passwords easier to remember. He also included a ranked list of the 500 worst passwords at the time from “123456” to “qwerty” to just using “password” by itself.

While the world has changed a lot since Burnett first wrote his guide on passwords, unfortunately, human nature hasn’t. People love to take shortcuts despite knowing what’s at risk. When it comes to passwords though, your entire digital life could be on the line.

I’ve been writing about cybersecurity from hackers to malware and of course, password hygiene for a decade now and here are three tips I learned along the way to help you correct course when it comes to your own passwords this World Password Day.

Coming up with strong passwords can be easy

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

When signing up for a new online account, coming up with a password is usually the last step despite being the most important. As many people just want to get the process over with, they might cut corners by coming up with a simple password that could easily be cracked or even worse, they might just reuse a password from another account.

Password reuse is extremely dangerous since once hackers gain access to one of your accounts, they will then try those credentials on other sites through a process known as credential stuffing. If you use the same username and password across multiple sites, when your credentials are stolen or exposed online, it’s then very easy for hackers to try and use them with your other online accounts.

This is why you need to come up with strong and unique passwords for each of your online accounts. Ideally, they should be between 8 and 12 characters but remember, the longer the better. You also want to combine letters, numbers and symbols to make your passwords much harder to guess.

In a blog post, Trend Micro also points out that you want to avoid using any letters and numbers in a sequence. Many of the worst passwords do this as typing “12345” or “qwerty” on your keyboard is easy to do and also easy to remember. The security firm also recommends that you want to avoid changing just one character whenever you update your password. Instead, you want to come up with a brand new password every time.

Best antivirus software

(Image credit: Shutterstock)

I also have my own trick for coming up with strong passwords that are also easy to remember. Since most passwords are tied to an online service, I like to use the name of the service in my passwords while breaking up the words and using a variety of lowercase and uppercase letters along with symbols to separate them and numbers to set them apart.

For example, for a Netflix account, I might use the word “Netflix” but break it up as “net” and “flix”. From there, I’d capitalize some of the letters in both words like “nEt” and “fliX” and then use an underscore between them. To truly set my homemade passwords apart, I often look at the clock right when I’m making them to get some random numbers to tack on at the end which would give me “nEt_fliX_0018”. This password is 13 characters long and won’t be easy to crack or for hackers to guess especially since it would only be for this one account.

If this is a bit too much for you and you’d rather have someone else come up with your passwords, you’re in luck as there are plenty of free password generators available online. These services can come up with strong and unique passwords for you but you still need to store them somewhere safely.

When in doubt use a password manager instead

Passwords written down in a notebook

(Image credit: Shutterstock)

Besides coming up with strong and unique passwords for each of your online accounts, you also have to store them somewhere securely.

Although we constantly see passwords scrawled onto sticky notes in movies, this is the last thing you want to do. Likewise, you shouldn’t write down your passwords and keep them in a notebook because if someone gets a hold of it, the consequences can be just as bad as password reuse. 

While you might think keeping all of your passwords in a document or spreadsheet on your computer might be safer, it actually isn’t. There are plenty of dangerous malware strains that are designed specifically to seek out certain file types and look for credentials stored on your computer. So if you can’t write down your passwords in a notebook or store them in a document on your computer, where should you put them?

A phone and tablet sharing passwords using Google Password Manager

(Image credit: Google)

As remembering all of your passwords on your own can be difficult, many people use one of the best password managers instead. These services securely store your passwords online in an encrypted format and when you need to access them, you can use a master password or even biometrics like your fingerprint to do so. Besides storing your passwords, almost every password manager is able to autofill them when you try to login to a website, app or other online service. 

Many password managers also can point out if your passwords are weak or if they’ve been discovered on the dark web after being exposed online as the result of a data breach. From here, they can help you come up with new, stronger passwords as they all come with their own built-in password generators.

There are a lot of great paid password managers out there and we highly recommend 1Password, Keeper, NordPass, Bitdefender Password Manager and Dashlane. However, there are also some great free options out there with Bitwarden leading the charge. At the same time, Apple’s iCloud Keychain, Microsoft’s Credential Manager and Google Password Manager all work quite well and come included in each company’s respective operating system and software. 

You’re going to have to find the right password manager for your own security and workflow but there is another option you might want to consider if you just want to be done with passwords altogether.

Ditch passwords for passkeys

An iPhone showing passkeys

(Image credit: Shutterstock)

If passwords are the bane of your existence, then I have some good news for you. While some people are working to educate others on the importance of using strong and unique passwords, others want to do away with them entirely as we move towards a passwordless future. One of the main ways in which businesses and organizations are doing this is through passkeys.

The goal of passkeys is to make all of your accounts more secure by using passwordless login in place of traditional passwords. The way this works is that each passkey is a unique digital key that can’t be reused which is stored in an encrypted format on your devices instead of on a company’s servers. There’s another upside to this as unlike with passwords, your passkeys can’t be exposed online in the event of a data breach.

If you’re familiar with two-factor authentication (2FA), passkeys work in sort of a similar way. As part of the setup process, you need to confirm your authenticator which can be your smartphone, another mobile device or even a password manager that supports passkeys. However, the authenticator also requires that you use another form of verification to access your password. This could be a master password like with password manager but it could also be biometrics such as your face or fingerprint.

iOS 16 passkeys

(Image credit: Tom's Guide)

From here, it’s all about private and public encryption keys. While the public key is stored on a company’s servers for when you want to login, the private key remains secret and is only stored on your device. During login, a site’s server sends a challenge to your authenticator which your private key will solve and then a response is sent back. The server is able to verify that the public and private keys match and you can then login to an account. It’s also worth noting that a company’s server doesn’t need to know the contents of your private key to verify it.

Passkeys are a bit harder to understand than a password manager but we’ve seen more and more companies support them since they were first introduced. One big reason behind this is that Microsoft, Apple, Google and other tech giants are leading the charge for their adoption.

Passwords are like underwear

Whether you come up with passwords on your own, use a password generator or a password manager to do so or if you've ditched passwords altogether for passkeys, there’s one takeaway that I want you to remember this World Password Day.

Passwords are like underwear and yes, you read that correctly. You want to change them regularly, you don't want to leave them out where other people can see them and you absolutely don’t want to share them with anyone else.

I know coming up with strong and unique passwords for each of your online accounts can be a daunting task but if you start small and remember what’s at stake, you’ll be able to greatly improve your own password hygiene.

More from Tom's Guide

Contract Length
Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.