Your passwords deserve to be secure. You can prevent being hacked by brute force or dictionary attacks or being exploited by social engineering by following some rules:
Use unique passwords, so different passwords for different accounts. So if one website is being compromised the attacker does not automatically gain access to other potentially more sensitive websites. Use an enterprise password manager like Psono to store and manage all these passwords.
Use random passwords with at least 16 characters and try to include special characters, numbers, upper and lowercase symbols.
Do not include the names of family members, pets, or friends in your passwords.
Use a second factor whenever possible. Use something like Google Authenticator, Authy, Yubikey and try to avoid SMS if possible.
Do not use zip codes, house and phone numbers, birthdays and sequences from your ID or social security number.
Regularly update your software. Most exploits have been fixed for weeks before attackers are actively exploiting them.
Passwords like QWERTY, 123456, password!, 4nt0n!, ... are inherently insecure and should be avoided. Secure passwords are random and look like qs^?#jD3Ym}8rB&D or }+Eph6/.q(7t*TjZ
Do not construct passwords from a pattern like myPassw0rdForGmail and myPassw0rdForWindows as stolen passwords will automatically allow hackers to guess the password for other accounts.
Avoid password mechanisms that cannot be changed yet can be cloned like your iris or fingerprint.
Be cautious and avoid logging in on computers of other people.
Do not login to sensitive accounts over untrusted WiFi hotspots, free VPN services, and the Tor network, as you never know who is controlling them.
Check for the protocol before you send any sensitive information and avoid unencrypted connections like HTTP or FTP. Better alternatives are HTTPS, SFTP, FTPS.
You should configure your phone and computer to automatically lock when inactive. The duration should not be longer than 30 seconds.
Create a habit of locking the computer when you leave the desk even if its just for a short period.
Protect yourself, especially while travelling, and encrypt your internet connection. VPN software like OpenVPN, IPsec and Wireguard on your own VPS are the most common solution. Alternatives are SSH tunnels or Socks Proxy configured in your Chrome or Firefox.
Check your passwords if they have been breached and setup a monitoring for future breaching with the help of haveibeenpwned.com
Store files only encrypted. Full disk encryption with Bitlocker on Windows, FileVault on Mac or LUKS on Linux are your first line of defense against unauthorized access. GPG and 7-zip are perfect if you want to share / store / send something sensitive.
You should not rely on a single service so keep a backup of all your passwords in different locations. e.g. a password manager like Psono and a local backup encrypted with 7 zip and stored on Google Drive or Dropbox.
Always type the address of important services, like gmail.com or paypal.com and never trust links that you have been sent. There are different ASCII chars that look the same yet are different making it impossible to distinguish them.
Do not share passwords in emails, chat and so on. You never know when a device of the receiving party is compromised. Instead use encrypted channels, like Psono's link share, GPG encrypted mails or secure messengers like Signal.
Never tell anyone your passwords. e.g. employees of bank accounts, your companies administrator and so on all have their own portal to access your account and will never ask you for your password.
Use a trusted solution to host your emails. Emails usually allow account resets and as such need to be protected against miss use the same way as your passwords.
If possible, use an own domain, so if your email provider ever closes your email account, you don't lose access to all your other accounts.
Need help to follow these tips?
Works on any Mac with the right browser.
Works on any Windows with the right browser.
Works on any Linux with the right browser.