Passwords have historically served as the primary defense for online accounts, but they’re no longer effective on their own. With the rise of evolving threats and increasingly sophisticated cyberattacks, experts recommend fortifying your logins with additional authentication methods.

Why your security strategy must go beyond passwords

Cybersecurity experts at the National Institute of Standards and Technology (NIST) now warn that passwords are fundamentally vulnerable and should be avoided whenever possible. Even the strongest password can be compromised in two common ways:

• Phishing: Cybercriminals deploy deceptive tactics, luring users into revealing their credentials through fake login links designed to mimic legitimate sites. Once a user enters their information, the attacker captures it, rendering the password’s strength irrelevant.
• Offline attacks: These attacks involve cybercriminals stealing encrypted password databases during a data breach. They then leverage powerful computers to run automated password-cracking programs offline. A modern PC can attempt up to 100 billion guesses per second, meaning an eight-character password with a capital letter, a number, and a symbol can be deciphered almost instantly.

Given these threats, your focus must shift from creating better passwords to implementing additional security measures.

Your new security hierarchy for 2025 and beyond

To truly secure your accounts, follow this modern hierarchy of defense recommended by cybersecurity experts.

Priority #1: Activate passkeys (the password replacement)

The biggest change in digital security is the move to passkeys, a safer alternative to passwords. Passkeys store a private digital key on your phone or laptop. You can log in to your accounts by verifying your device with a PIN or fingerprint.

Passkeys are phishing-resistant; you can’t be tricked into typing a passkey on a fake website. They’re also unique to every site, so a data breach at one company won’t expose your other accounts.

Action step: Check your account settings for “Security” or “Login Options” and select Create a Passkey wherever available.

Priority #2: Enable multifactor authentication (MFA)

For any account that doesn’t support passkeys, enabling MFA is a critical step you can take to secure it.

MFA adds another layer of protection beyond just your password. It asks for another verification factor, which can be something you have (e.g., your phone) or something you are (e.g., your fingerprint). That way, even if a cybercriminal gets your password, they still can’t access your account without completing the extra authentication step.

While many services use SMS codes for MFA, security experts at NIST warn that these can be intercepted. For better security, prioritize more robust methods, such as:

• Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator)
• Physical security keys (e.g., USB dongles)
• Push notifications sent from a trusted app on your device

Action step: Review the security settings of your key accounts (e.g., email, banking, and social media), and turn on MFA wherever possible.

Priority #3: Use a password manager

Many accounts still require traditional passwords. Since it’s impossible to remember a long, unique password for each one, use a password manager. This application generates and securely stores all your unique credentials, simplifying digital security by requiring you to remember only one master password to access them.

Action step: Install a reputable password manager, and let it create strong, unique passwords for your nonpasskey accounts.

What to do if you must create a password

If you need to create a password, NIST’s 2025 guidance is clear: length matters most. Aim for at least 15 characters.

NIST no longer recommends mandating special characters, numbers, or uppercase letters for password requirements. Although complexity contributes to password strength, length is far more effective. A 10-character complex password (e.g., Tr@ub4d0r!) is far weaker than a simple 20-character password.

The easiest way to create a long, memorable password is to string together several unrelated words. A passphrase such as “cassettelavababyriver” is 21 characters long, which is easy for you to remember but would take a long time for a computer to crack.

To keep up with the latest cybersecurity practices and IT trends, connect with our IT professionals today.