Two Simple Steps That Can Prevent Your Online Accounts From Being Stolen

I’m one of the admins of a WhatsApp group that we have with my classmates from high school.

Every now and then, someone posts something like this in the group chat: “Joe’s phone has been stolen, and they’ve got his WhatsApp account. Please, remove him temporarily from the group.”

Every time this happens, the same discussion follows: how can we prevent our WhatsApp account from being compromised? The same advice is shared: If you are using a SIM in your phone (instead of an eSIM), either get an eSIM or make sure your SIM requires a PIN. Activate second-factor authentication in WhatsApp settings. Require FaceID, fingerprint, or password to unlock WhatsApp. If your phone gets stolen, write to support@whatsapp.com to lock your WhatsApp account.

And every time, most of my classmates disregard those measures.

These incidents got me thinking about password and account security more broadly. Fortunately, there’s new guidance that can help.

October is Cybersecurity Awareness Month. Great time to stop and reflect on your security practices. Conveniently, some weeks ago, the National Institute of Standards and Technology (NIST) published an updated version of their Digital Identity Guidelines (SP 800-63), which include the NIST password recommendations.

These guides are important not only because they are very good practices, but also because of their influence on other regulatory frameworks.

Key recommendations

I was going to summarize the documents, but Proton has a great summary of the updated password recommendations:

  • Use longer passwords: minimum 8 characters and a maximum of 64 characters, and support copy and paste.
  • Drop complexity requirements (e.g., symbols) and accept all types of characters, including spaces. Encourage users to come up with unique and memorable phrases.
  • Only force password resets when there is evidence of compromise. Forcing employees to reset their passwords every few months actually makes security weaker.
  • Maintain a password blocklist to prevent the use of easily exploitable passwords. This list should include not only basic terms—that was the previous NIST recommendation—but also breached passwords, patterns, and common variations.
  • Eliminate security questions and hints. (e.g., “What’s your mother’s maiden name?”) Instead, use links and verification codes for account recovery.
  • Require the use of multi-factor authenticators that require activation through password or biometric verification.

Practical tips

On a personal level, you should at least be using a second factor authentication method in your accounts (including messenger apps like WhatsApp). A password manager will help you use strong and different passwords for each service.

These two actions alone will prevent you a lot of pain.

There are several good password managers on the market, like 1Password or Bitwarden. You could use your phone’s password manager, but personally I prefer one of the standalone password managers.

For second-factor authenticators, both mentioned password managers offer OTPs (one-time passwords), or you can use apps like Google Authenticator, Twilio’s Authy, Microsoft Authenticator, etc.

Authenticator apps are safer than text-message authentication because they eliminate the risk of SIM-swapping attacks (where attackers hijack your phone number).

The best moment to adopt these practices is today. Don’t wait until you’re the next person in the group chat asking to be removed from a compromised account.

cybersecurity NIST NIST guidelines passwords
Share

Join my free newsletter and receive updates directly to your inbox.