World Password Day is here, and that means we're going to be talking security. A lot of security, with best practices, things to watch out for, and tips for the best password managers and other ways to secure your online accounts. We've all got dozens of online accounts by this point, and keeping track of them is a chore, even with a password manager, but how do you know that your passwords are safe? If you spot any of the behaviors on this list, change your password as soon as you can. And always remember to use unique logins for every account, so the risk of losing multiple accounts is reduced.
5 things that will need to happen before we stop using passwords
Passwordless solutions are growing in popularity, but do you trust them?
8 Suspicious activity on your accounts
Not sure if you changed those settings? Someone might have done it for you
Sometimes, hackers will get into your accounts and wait for their moment to strike. You might not notice they're there, or you might think settings have changed on their own, or other changes to the account that you're not sure if they're from the service provider or from a glitch. They're likely neither, and someone might be in your account, changing security settings so that they can lock you out eventually. Change your password if you notice weird settings changes, especially if it's things like recovery emails.
6 best practices for securing your accounts this World Password Day
How to better protect your online accounts from harm.
7 Alerts about unauthorized attempts of access
Or if you start getting 2FA or MFA notifications when you're not doing anything
Two-factor authentication is the best way to add another layer of security to your online accounts, and we always recommend enabling it wherever possible. But if you start getting SMSes with 2FA codes or your code generator app starts popping up notifications without you doing anything, go log into that account and change your password as an abundance of caution. The only way you'd get that 2FA notification is if someone has your login details, so make it harder for them and change it before they succeed.
4 reasons you should use 2FA apps over SMS-based authentication
2FA over SMS isn't just unreliable, it's also a security risk.
6 You get a data breach notification
Or if you checked your email on haveibeenpwned
According to the University of Maryland, a hacking attempt happens every 39 seconds. And that's only half the story, because the study was only done on "brute force" hackers, the kind that take credentials found in data breaches, lump them together, and have an automated system try forcing into accounts.
If that sounds scary, it is, and you have every right to be worried. That's why, if you get a notification of a data breach or check resources like haveibeenpwned and notice your email pop up, you shouldn't delay changing your password for that account. If you wanted to be extra safe, change the password of any other accounts that use that email or username, because the chances are good that a credential stuffing attack will happen at some point.
AT&T data breach compromises roughly nine million accounts, here's what you need to know
AT&T experienced a data breach through one of its vendors, exposing the data of roughly nine million customers.
5 Shared your password with someone
We've all been there, but did you remember to change that password once they're out of the account?
Sharing passwords is a surefire way to cause weird things to happen to your accounts, and it might even get you banned from the service. Sharing Wi-Fi passwords can be done safely with the right tools and router setup, but sharing streaming sites and other things should only be done as those services allow. This could be as simple as adding them to a family account, in which case everyone has their own password, and nobody else can see it. Or you can use many password managers to share passwords without letting the other person see the actual password, which is probably the safest way if you have to share.
6 tips to securely share guest Wi-Fi with friends
Make guest access easy backed by robust security
4 You used the same password on several accounts
Please stop doing this
If you're using the same password on several accounts, it's time to put that practice to rest. Get a password manager, and go through all your online accounts and replace the passwords you were using with unique, long (at least 16 characters) passwords or passphrases. You might not think that the forum you talk to fellow hobbyists on matters in terms of password security, but your banking details do, and only one of those two websites has good security practices. Don't reuse passwords; We should all know better by now.
Best free password managers in 2024
Here are some good options to consider if you are looking to try a password manager, but don't want to pay a premium right away.
3 Odd email behavior
Messages sent without your knowledge or disappearing email is a sure sign
Noticed an email in your sent folder that you don't recognize? How about an email from you with some spammy junk in the main sections? It's not entirely an indicator that your password needs changing, as spammers have found ways to spoof email addresses, but you should probably think about changing your password anyway. I mean, your email account is a treasure trove of personal information, financial details, and more, and you don't want that password in anyone else's hands.
Email sucks-here's 5 tools to do something about it
Level up your inbox with these fantastic tools.
2 Odd logins from unfamiliar locations
It's not you trying to log in from Kazakhstan, unless you do live there
One of the smartest things Microsoft has done for years is to allow passwordless logins via the Microsoft Authenticator. This not only removes the secrets part of the equation, so only the Authenticator app can be used for logging in, but it also stops any attackers from even trying to log in, as the security features filter out any attempts from IP addresses or locations that it knows you're not associated with.
The image above is my Microsoft account page for login attempts, and that's just a tiny section of the daily login attempts my Microsoft account gets subjected to. Many online accounts will have a page that shows locations of login attempts, and I highly recommend you check this every so often.
Microsoft Authenticator now suppresses shady login attempts
Microsoft has implemented a security configuration that suppresses Authenticator prompts if anomalies are detected.
1 Suddenly locked out of account
If you get a warning about too many failed logins, or you know the password was changed, time to reset it asap
While hackers and spammers have gotten more sophisticated at not hitting rate limits for password-stuffing attacks, some services lock your account if too many failed attempts happen in a short enough time. Sometimes, these aren't attempts to take over your account, as IMAP issues when trying to sync email to a third-party client can also show up as failed login attempts, but most of the time, they are.
If you know it wasn't you trying to log in when you notice an account is locked, the first thing you should do when you recover access is to change the password. If possible, also change the login name or email used, which will stop hackers from being able to try password-stuffing attacks in the first place.
It's wild out there. Stay safe and in control of your passwords
From forgetting to log out of a public computer you used to check your email to having your credentials stolen in a breach, keeping our online accounts safe is hard. But by recognizing the signs of unauthorized logins, using good password hygiene, and using two-factor authentication wherever possible, we can keep our accounts and the data in them secure.