Cybersecurity Awareness Month: Time to Lock Down Your Logins

Online attackers are looking to capitalize on sloppy security. Here are easy ways to shore up your digital defenses.

It’s October — AC is off in many parts of the country, “spooky season” is in full swing and many of us have already had our fill of pumpkin spice lattes for the year

It’s also Cybersecurity Awareness Month. And while 31 days of online safety might sound ridiculous, it’s still a great time to take a hard look at your cybersecurity situation.

That means setting strong and unique passwords for all your online accounts, enabling two-factor authentication whenever possible, installing those pesky software security updates and doing your best to keep as much of your private information, well, private.

That all may sound daunting, but there’s plenty of help out there for those looking for a place to start. The Cybersecurity and Infrastructure Security Agency just kicked off its month-long educational push entitled “Secure Our World.” It’s designed to drive home the importance of basic cyber hygiene practices.

The campaign’s website includes helpful tools for consumers, small and medium businesses and all levels of government, CISA director Jen Easterly said in a statement.

“Protecting ourselves online is about taking a few simple, everyday steps to keep our digital lives safe,” per Easterly.

In celebration of Cybersecurity Awareness Month, here are a handful of easy tips from CISA and others to keep your online accounts safe.

Use strong passwords and a password manager

Passwords need to be long, random and unique. New this year, the U.S. National Institute of Standards and Technology has updated its guidelines. The latest recommendations state that organizations don’t need to require passwords to include a mix of character types. Plus, companies are no longer required to set mandatory time periods for changing passwords, such as every 30 or 90 days.

Many security experts had argued that these kinds of requirements were counterproductive because they pointed people towards easily guessed passwords — think P@$$w0rd or Bree2024!.

On the flipside, while NIST still technically requires that companies mandate passwords of at least eight characters, it now recommends requiring passwords with at least 15 characters and up to 64.

Yes, that’s a lot of characters, but to make things easier, you can use a passphrase of a handful of unrelated words strung together, such as “GrandmafootballCheeseburgerhat” or “lamppostParisHotsaucetrophyhat.”

Avoid personal details that can easily be guessed or answered by Googling or mining social media. Your dog’s name, the model of your first car or the university you graduated from may be important to you, but they’re bad password material. Don’t recycle your passwords and use them on multiple accounts — no matter how good you think they are. That way, you limit the fallout if one of your passwords is compromised.

That also goes for the personal questions and answers you use to reset those passwords.

Need help? Sign up for a password manager. It’ll keep all your logins organized and secure. Using the password generator and manager built into your browser is OK too. While some of those options have been clunky in the past, they’ve gotten better. For example, you can now use Google’s Chrome browser to autofill passwords into apps on an iPhone, as well as auto-generate new ones.

Always use multifactor authentication

If your password does get compromised, a second layer of protection will go a long way toward protecting your account. Multifactor authentication, also called MFA, two-factor authentication and two-step verification, requires that someone trying to access your account enter a second form of identification before getting in.

MFA works in a host of different ways. It could be a code generated by an app, a biometric like a fingerprint or Face ID, or a physical security key that you insert into your device. Yes, MFA slows down the login process. But if MFA is available, turning it on is a must.

One word of warning: If you can, avoid MFA systems that text a code to your smartphone. Why? SIM swapping, in which cybercriminals steal your phone number by calling your wireless provider and having it switch your number to a new phone and SIM card. It does happen, and if criminals take over your phone number, they’ll get that text message too.

Beware of phishermen

These days, many cyberattacks and data breaches — both big and small — start with a phishing attack. These are scam emails or other kinds of messages that try to trick people into handing over money or personal information under false pretenses.

While most of them still show up as emails, phishing also now comes in the form of social media posts, text messages (smishing) and even QR codes (quishing).

These days, phishing is easier than ever thanks to the advent of readily available artificial intelligence tools like ChatGPT. They make it much easier for scammers, especially those who aren’t native English speakers, to write nearly infinite numbers of legitimate-looking and highly customized emails.

Attackers could be pretending to be a charity looking for donations to help the victims of hurricanes or the war in Ukraine. They also could masquerade as a member of your office’s IT team or a friend who wants you to check out a great deal at your favorite retailer.

Regardless of their form, the objective is usually the same: The attackers are looking to steal credentials, money or personal information.