A coalition of nonprofit organizations publishes the second version of the Common Password Guidelines with 132 signatories worldwide.
Cyber 4.0 is again joining the More Than a Password Day campaign this year.
We join the global community on this global day to raise awareness among each of us of the importance of strong authentication. Our data is increasingly numerous and valuable, and protecting it with a simple password, while sophisticated, no longer guarantees its protection from unauthorized access and malicious use. Much more effective tools exist.
So here is the Common Guide on Passwords translated into Italian
Protect your account and your devices
We believe that using stronger authentication is one of the most effective and inexpensive steps that can be taken to protect organizations and people online. In celebration of World More Than a Password Day, November 12, 2024, we are jointly releasing this Common Password Guide that specifies simple steps anyone can take to be more secure:
Actions to be taken immediately
1. Use password-free authentication
Use password-free authentication such as passkeys (sometimes other terms are used) when you can. Passkeys are easier to use and more secure than passwords. They use encryption to verify your online identity, with a secret key stored on your device that is never shared. Most popular operating systems, browsers and e-mail services support passkeys: just search for “passkey” and the name of the operating system, browser or site/service.
2. Protect your e-mail
If you use password authentication for your mailboxes, use a very complex (long, randomly generated, unique password(Use Strong Passwords | CISA) and multi-factor authentication/two-step verification (see the next point). Email is the most common form of reset if you want to make sure that no one else can “reset” your passwords and gain access to your accounts.
3. Add an additional layer of security beyond just using passwords
Using a hardware security key or token, an authentication app, or a PIN provided by SMS messages as a “second factor” in addition to the password can help prevent phishing and other attacks. This process can be called multi-factor authentication (MFA), two-factor authentication (2FA) or two-step verification. The best form of additional security is to use a hardware token or authentication app on the phone and not rely on SMS messages for the second factor.
4. Use a password manager
If you have accounts that use only passwords, consider using a password manager so that you do not have to memorize dozens of passwords. Using a password manager means you can use complex, randomly generated passwords that are much harder to guess. Software password managers, browsers that manage your passwords, and operating systems can do a good job. Of course, the password for your password manager must be complex and easy to remember (see the next step on choosing a good password), and you must respond quickly to change all passwords if your password management service is compromised. More detailed guidance on password managers is available, for example, from UK: Password Managers: using browsers and apps to safely store your passwords and Canada: Password Manager:Security Tips (ITSAP.30.025).
5. Use recommended techniques for choosing passwords
If you choose your own passwords instead of having them generated by your computer or password manager, you can use a passphrase(Best practices for passphrases and passwords (ITSAP.30.032) or a technique such as the U.K. NCSC’s “Three Random Words” to choose passwords that are easier to remember but difficult to guess(Three Random Words – NCSC.GOV.UK).
If you have been “hacked”
6. Changing passwords
Your passwords should be changed immediately if one of your devices is compromised (e.g., a hacker installs malware on your computer). If an online site or service you use (an e-mail service, Web site, etc.) is hacked, change the password for that site or service and wherever you reused that password (and you really shouldn’t reuse passwords). Signing up at https://haveibeenpwned.com/ is a good way to find out if any of your passwords need updating. Finally, it is best to change passwords using a device that has not been compromised.
Note to providers: require or support advanced authentication instead of requiring periodic password changes. You may find this guide useful: Muti-factor authentication for your corporate online services
The Guide was produced thanks to the collaboration of:
#ShareTheMicInCyber
AKTA
Albanian Cyber Association NGO
American University
Anti-Phishing Working Group (APWG).
Aspen Digital
Association of Information Security Professionals (AiSP)
Australian Cyber Collaboration Centre
Aviation ISAC
BBB Institute for Marketplace Trust
Bfore.Ai
Black Girls in Cyber
Broadcom
C3Initiative
Canadian Cyber Threat Exchange
Center for Democracy & Technology
Center for Internet Security
Center for Threat-Informed Defense
Charter of Trust
Cloud Security Alliance
Common Sense
Consumer Reports
Craig Newmark Philanthropies
CREST International
Crowdstrike
Cum Sensu B.V
Cyber 4.0 Cybersecurity Competence Center
Cyber Defense Alliance
Cyber Peace Foundation
Cyber Readiness Institute
Cyber Risk Institute
Cyber Security & Forensics Association Uganda
Cyber Threat Alliance
Cyber8M
CyberGreen Institute
CyberPeace Institute
Cybersecurity and Infrastructure Security Agency (CISA)
Cybersecurity Network Foundation
Cybersecurity Tech Accord
Cybertrust America
CyberWA, Inc.
CyberWyoming Alliance
CyBlack
DECO PROTESTS
Dell
DigeTekS LLC
DISARM Foundation
DNS Research Federation
PuntoGal Domain
eco – Association of the Internet Industry
EST Applied Intelligence
EURid
Euroconsumers
European Cyber Security Organization (ECSO)
European Cybercrime Centre – EC3 – Europol
Everyone.AI
FIDO Alliance
Forge Institute
Forum of Incident Response and Security Teams (FIRST)
Foundation Cyberbrein
Get Safe Online
Girls Who Code
Global Anti-Scam Alliance
Global Cyber Alliance
Global Forum on Cyber Expertise (GFCE)
Global Resilience Federation
Hacking the Workforce
Health-ISAC
HIKS
ICT Academy
Impetus
Insig2
Institute for Security and Technology
Internet Society (ISOC)
Internet Society Belgium
Internet Society UK England Chapter
INTERPOL
ISOC Democratic Republic of the Congo Chapter
ISOC Zambia Chapter
Kenya CyberSecurity & Forensics Association.
LAC4
Maritime Safety & Security Alliance
Metamorphosis
Microsoft
National Authority for Electronic Certification and Cyber Security (AKCESK)
National Council of ISACs
National Cyber Forensics and Training Alliance
National Cybersecurity Alliance
National Cybersecurity Society
Netsafe
Nomad Futurist
NPower
NSI Cyber and Tech Center, Antonin Scalia Law School at George Mason University
Okta
Open Cybersecurity Alliance
OpenSecurityTraining2
Outpost24
OWASP
Packet Clearing House
DOTU.EUS
Quad9
R Street Institute
Rapid7
Recorded Future
Red Piranha
Retail & Hospitality ISAC
Safe Online Women Kenya
SAFECode
SAM for Compliance
ScamAdviser
Sctium
SecureTheVillage
Security Scorecard
Serianu
Shadowserver Foundation
Sightline Security
Singapore Computer Emergency Response Team (SingCERT)
Society of Citizens Against Relationship Scams Inc.
South West Cyber Security Cluster
STOP. THINK. CONNECT. Messaging Convention
TechSoup
The Kosciuszko Institute Association
U.S. Chamber of Commerce
UC Berkeley Center for Long-Term Cybersecurity
University of Chicago Harris School of Public Policy – Cyber Policy Initiative
Women4Cyber Foundation
Women4Cyber Montenegro
XRSI – X Reality Safety Intelligence
youthprotect e.V.
Zyber Global Centre