World Password Day

World Password Day is a good reminder that online security is important, but it doesn't have to be complicated. Just a few simple steps can keep you and your family safer.

Common Sense Media is one of more than 90 organizations that have endorsed updated password guidance from Nonprofit Cyber, a coalition of leading organizations fighting online scams.

These are the steps they recommend that everyday consumers—parents, grandparents, and other family members—take to protect themselves and their loved ones online.

Are you ready to get safer?

1. Skip passwords altogether when you can.

   The safest option is to avoid passwords entirely. Many apps, websites, and devices now let you log in using something called a "passkey"—think of it like a digital key stored on your phone or computer that proves it's really you, without ever typing a password. Passkeys are not only more secure, they're actually easier to use. Most major devices (iPhone, Android, Windows, Mac) and popular services already support them. Just search "passkey" plus the name of your device or app to get started. If you use a password manager (more on that below), it may be able to store passkeys too.

2. Lock down your email account first.

   Your email account is the master key to everything else online because most websites let you reset your password by sending a link to your email. If someone gets into your email, they can get into almost everything. Make sure your email has a strong password and an extra layer of security turned on (see tips three and five). This one is especially important!

3. Add an extra layer of security beyond using passwords alone.

   Even with a good password, turning on two-step verification (also called multi-factor authentication, or MFA) adds security. When this is enabled, even if someone figures out your password, they still can't get in without a second check—usually a code sent to your phone or generated by an app. An authenticator app (like Google Authenticator or Authy) is the most secure option, but even a text message code is better than nothing. Some banking apps use your fingerprint or face as that second step, which also counts.

4. Use a password manager.

   Most of us reuse the same few passwords everywhere, which is risky; if one account gets hacked, others can fall like dominoes. Use a password manager so you won't need to memorize dozens of passwords, even if you are using two-factor authentication. Using a password manager means you can use strong, randomly generated passwords that are much harder to guess, and you can avoid reusing passwords. Software password managers, browsers that manage your passwords, and operating systems can all do a good job at this. Of course, the password for your password manager must be both strong and memorable (see the next step to pick a good password), and if your password manager service ever gets hacked, you must respond quickly to change all your passwords.

   More detailed guidance on password managers is available, for example, from the UK and Canada.

5. Pick a password that's easy to remember but hard to guess.

   If you're picking your own passwords rather than having your computer or password manager generate them, you can use a passphrase or a technique like the UK NCSC's "Three Random Words" to pick passwords that are easier to remember but hard to guess.

6. Think you've been hacked? Change your passwords right away.

   If you get a notice that a website or app you use has been breached, or if you think you may have fallen for a scam that put your device or login information at risk, change your password for that site immediately and then change it anywhere else you used the same password (another reason not to repeat them).

   But an official breach notice isn't the only red flag. Watch out for other warning signs that something may be off:

• Receiving a password reset email or a two-step verification code you didn't ask for
• Getting logged out of an account suddenly
• Noticing messages or posts sent from your account that you didn't write
• Seeing that your account settings were changed without your knowledge

• Getting a login notification from an unfamiliar location or device

  If anything feels off, don't wait—change your passwords from a device you trust to be safe. A free tool called haveibeenpwned.com lets you enter your email address to find out if your information has shown up in a known data breach, and it's worth checking even if everything seems fine.

We're all in this together. On this World Password Day, take a few simple steps to get safer online and in life.