SCARS Institute’s Encyclopedia of Scams™ Published Continuously for 25 Years
Common Guidance on Passwords
Protecting Your Accounts and Devices
We believe that using stronger authentication is one of the most effective and inexpensive steps that can be taken to secure organizations and people online. On World More Than A Password Day, November 10, 2023, together we are issuing this Common Guidance on Passwords specifying simple steps that anyone can take to be more secure:
Steps to Take Now
-
Use password-free authentication
Use password-free (passwordless) authentication, such as passkeys (sometimes other terms are used), when you can. Passkeys are simpler to use and far more secure than passwords. Passkeys use cryptography to prove that you are you for online sites and services, employing a secret key that is stored on your device and is never shared. The most popular operating systems, browsers, and email services support passkeys – just search for “passkey” and the name of your operating system, browser, or site/service.
-
Secure your email account
If using password authentication for your email accounts, use a very strong password (long, randomly generated, and unique (see https://www.cisa.gov/sites/default/files/2023-08/Secure-Our-World-Passwords-Tip-Sheet.pdf) and multi-factor authentication/two-step verification (see the next step below). Email is the most common form of resetting your password, and you want to make sure no one else can “reset” your passwords and get access to your accounts.
-
Add an extra layer of security above using passwords alone
Using a hardware security key or token, an authenticator app or a PIN provided by SMS messaging as a “second factor” in addition to your password can help prevent phishing and other attacks. This process can be called multi-factor authentication (MFA), two-factor authentication (2FA), or two-step verification. The better form of additional security is to use a hardware token or an authenticator app on your phone, and not to rely on SMS messages for the second factor.
-
Use a password manager
Especially if you have accounts that use only a password and not passkeys or a second means of authentication, use a password manager so you don’t have to remember all your passwords. Using a password manager means you can use strong, randomly generated passwords that are much harder to guess. Software password managers, browsers that manage your passwords, and operating systems can all do a good job. Of course, your password manager password has to be both strong and memorable (see the next step to pick a good password), and you must respond quickly and change all your passwords if your password manager service is compromised. More detailed guidance on password managers is available, for example, from the UK Password managers: using browsers and apps to safely store your passwords, and Canada Password managers-security.
-
Use a recommended technique to pick passwords
If you are picking your own passwords rather than having your computer or password manager generate them, you can use a passphrase (Best practices for passphrases and passwords (ITSAP.30.032) – Canadian Centre for Cyber Security) or a technique like the UK NCSC’s “Three Random Words” to pick passwords that are easier to remember but hard to guess. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words.
If You are “Hacked”
-
Changing passwords
Your passwords should be changed immediately if one of your devices is compromised (for example, a hacker installs malware on your computer). If an online site or service you use (an email service, a website, etc.) is hacked, change your password for that site or service and anywhere else you have reused that password (and you really should not reuse passwords). Subscribing to https://haveibeenpwned.com/ is a good way to discover if you have passwords you need to change. Last, it’s best to change passwords using a device that hasn’t been compromised.
Note for providers: Require or support strong authentication rather than requiring that passwords be periodically changed.
Reprinted with permission from Nonprofit Cyber.
Signed By
These are the supporters of this campaign:
- American University
- Anti-Phishing Working Group (APWG)
- Aspen Digital
- Australian Cyber Collaboration Centre
- Aviation ISAC
- BBB Institute for Marketplace Trust
- Bfore.Ai
- Black Girls in Cyber
- C3Initiative
- Canadian Cyber Threat Exchange
- Center for Democracy & Technology
- Center for Internet Security
- Center for Threat-Informed Defense
- Charter of Trust
- Cloud Security Alliance
- Consumer Reports
- Craig Newmark Philanthropies
- CREST International
- Cyber 4.0 Cybersecurity Competence Center
- Cyber Defence Alliance
- Cyber Threat Alliance
- Cyber Readiness Institute
- Cyber Risk Institute
- Cyber Security & Forensics Association Uganda
- CyberGreen Institute
- CyberPeace Institute
- Cybersecurity and Infrastructure Security Agency (CISA) U.S Department of Homeland Seccurity
- Cybersecurity Network Foundation
- Cybersecurity Tech Accord
- Cybertrust America
- CyberWA, Inc
- CyberWyoming Alliance
- DECO PROTeste
- Dell Technologies
- DISARM Foundation
- DNS Research Federation
- Dominio PuntoGal
- eco – Association of the Internet Industry
- EURid
- Euroconsumers
- European Cyber Security Organisation (ECSO)
- European Cybercrime Centre – EC3 – Europol
- FIDO Alliance
- Forge Institute
- Forum of Incident Response and Security Teams (FIRST)
- Get Safe Online
- Girls Who Code
- Global Anti-Scam Alliance
- Global Cyber Alliance
- Global Resilience Federation
- Hacking the Workforce
- Health-ISAC
- HIKS
- Institute for Security and Technology
- INTERPOL
- Kenya CyberSecurity & Forensics Association
- Maritime Safety & Security Alliance
- Microsoft
- National Council of ISACs
- National Cyber Forensics and Training Alliance
- National Cybersecurity Alliance
- National Cybersecurity Society
- Netsafe
- Nomad Futurist
- NSI Cyber and Tech Center, Antonin Scalia Law School at George Mason University
- Open Cybersecurity Alliance
- OWASP
- Packet Clearing House
- PUNTU.EUS
- R Street Institute
- Rapid7
- Recorded Future
- Retail & Hospitality ISAC
- SAM for Compliance
- ScamAdviser
- SecureTheVillage
- Security Scorecard
- Serianu
- Shadowserver Foundation
- #ShareTheMicInCyber
- Sightline Security
- Society of Citizens Against Relationship Scams Inc. [SCARS]
- South West Cyber Security Cluster
- STOP. THINK. CONNECT. Messaging Convention
- TechSoup
- The Kosciuszko Institute Association
- UC Berkeley Center for Long-Term Cybersecurity
- Women4Cyber Foundation
- XRSI – X Reality Safety Intelligence
- youthprotect e.V.
More:
- Hacked Passwords/Bad Passwords (romancescamsnow.com)
- Cyber Basics: Creating Safe Passwords (romancescamsnow.com)
- Online Safety – Important For Working From Home – A Free SCARS Guide 2023 (romancescamsnow.com)
- Talking To Kids/Youth About Online Risk [VIDEO] (scamsnow.com)
- Online Safety: Identifying Hoaxes and Urban Legends (romancescamsnow.com)
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
Table of Contents
Rapid Report Scammers
In the U.S. & Canada
U.S. & Canada Suicide Lifeline 988
LEAVE A COMMENT?
Recent Comments
On Other Articles
- Arwyn Lautenschlager on Love Bombing And How Romance Scam Victims Are Forced To Feel: “I was love bombed to the point that I would do just about anything for the scammer(s). I was told…” Feb 11, 14:24
- on Dani Daniels (Kira Lee Orsag): Another Scammer’s Favorite: “You provide a valuable service! I wish more people knew about it!” Feb 10, 15:05
- on Danielle Delaunay/Danielle Genevieve – Stolen Identity/Stolen Photos – Impersonation Victim UPDATED 2024: “We highly recommend that you simply turn away form the scam and scammers, and focus on the development of a…” Feb 4, 19:47
- on The Art Of Deception: The Fundamental Principals Of Successful Deceptions – 2024: “I experienced many of the deceptive tactics that romance scammers use. I was told various stories of hardship and why…” Feb 4, 15:27
- on Danielle Delaunay/Danielle Genevieve – Stolen Identity/Stolen Photos – Impersonation Victim UPDATED 2024: “Yes, I’m in that exact situation also. “Danielle” has seriously scammed me for 3 years now. “She” (he) doesn’t know…” Feb 4, 14:58
- on An Essay on Justice and Money Recovery – 2026: “you are so right I accidentally clicked on online justice I signed an agreement for 12k upfront but cd only…” Feb 3, 08:16
- on The SCARS Institute Top 50 Celebrity Impersonation Scams – 2025: “Quora has had visits from scammers pretending to be Keanu Reeves and Paul McCartney in 2025 and 2026.” Jan 27, 17:45
- on Scam Victims Should Limit Their Exposure To Scam News & Scammer Photos: “I used to look at scammers photos all the time; however, I don’t feel the need to do it anymore.…” Jan 26, 23:19
- on After A Scam, No One Can Tell You How You Will React: “This article was very informative, my scams happened 5 years ago; however, l do remember several of those emotions and/or…” Jan 23, 17:17
- on Situational Awareness and How Trauma Makes Scam Victims Less Safe – 2024: “I need to be more observant and I am practicing situational awareness. I’m saving this article to remind me of…” Jan 21, 22:55
ARTICLE META
Important Information for New Scam Victims
- Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
- Enroll in FREE SCARS Scam Survivor’s School now at www.SCARSeducation.org
- Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
A Note About Labeling!
We often use the term ‘scam victim’ in our articles, but this is a convenience to help those searching for information in search engines like Google. It is just a convenience and has no deeper meaning. If you have come through such an experience, YOU are a Survivor! It was not your fault. You are not alone! Axios!
A Question of Trust
At the SCARS Institute, we invite you to do your own research on the topics we speak about and publish, Our team investigates the subject being discussed, especially when it comes to understanding the scam victims-survivors experience. You can do Google searches but in many cases, you will have to wade through scientific papers and studies. However, remember that biases and perspectives matter and influence the outcome. Regardless, we encourage you to explore these topics as thoroughly as you can for your own awareness.
Statement About Victim Blaming
SCARS Institute articles examine different aspects of the scam victim experience, as well as those who may have been secondary victims. This work focuses on understanding victimization through the science of victimology, including common psychological and behavioral responses. The purpose is to help victims and survivors understand why these crimes occurred, reduce shame and self-blame, strengthen recovery programs and victim opportunities, and lower the risk of future victimization.
At times, these discussions may sound uncomfortable, overwhelming, or may be mistaken for blame. They are not. Scam victims are never blamed. Our goal is to explain the mechanisms of deception and the human responses that scammers exploit, and the processes that occur after the scam ends, so victims can better understand what happened to them and why it felt convincing at the time, and what the path looks like going forward.
Articles that address the psychology, neurology, physiology, and other characteristics of scams and the victim experience recognize that all people share cognitive and emotional traits that can be manipulated under the right conditions. These characteristics are not flaws. They are normal human functions that criminals deliberately exploit. Victims typically have little awareness of these mechanisms while a scam is unfolding and a very limited ability to control them. Awareness often comes only after the harm has occurred.
By explaining these processes, these articles help victims make sense of their experiences, understand common post-scam reactions, and identify ways to protect themselves moving forward. This knowledge supports recovery by replacing confusion and self-blame with clarity, context, and self-compassion.
Additional educational material on these topics is available at ScamPsychology.org – ScamsNOW.com and other SCARS Institute websites.
Psychology Disclaimer:
All articles about psychology and the human brain on this website are for information & education only
The information provided in this article is intended for educational and self-help purposes only and should not be construed as a substitute for professional therapy or counseling.
While any self-help techniques outlined herein may be beneficial for scam victims seeking to recover from their experience and move towards recovery, it is important to consult with a qualified mental health professional before initiating any course of action. Each individual’s experience and needs are unique, and what works for one person may not be suitable for another.
Additionally, any approach may not be appropriate for individuals with certain pre-existing mental health conditions or trauma histories. It is advisable to seek guidance from a licensed therapist or counselor who can provide personalized support, guidance, and treatment tailored to your specific needs.
If you are experiencing significant distress or emotional difficulties related to a scam or other traumatic event, please consult your doctor or mental health provider for appropriate care and support.
Also read our SCARS Institute Statement about Professional Care for Scam Victims – click here to go to our ScamsNOW.com website.
Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.