When making a password, you should make sure that it is unique, i.e. that it is only used for one account or device, long and complex.

Using the same password for multiple resources is a risk - if one of your accounts is compromised, others using the same password might be as well.

Having a long password - 10+ or even 20+ characters, the longer the better - makes it harder to crack or guess. The use of different types of characters and symbols, such as numbers, small and capital letters, and special characters (!, ~, *) is strongly encouraged.

Avoid using online password generators and “how strong is my password” tools - you can’t know who is behind them and where your passwords might end up.

It is also highly recommended to set up multi-factor authentication on your accounts if the online service or platform has that option. This creates an additional layer of protection, as an additional step is required to log in, usually a one-time code received via SMS or an app such as Aegis Authenticator. iPhones have a built-in option to generate MFA codes.

However, multi-factor authentication (MFA) is not a perfect solution - people are still susceptible to social engineering attacks, such as phishing scams, and can be persuaded or fatigued to disclose the second authentication factor, a one-time code for example. This is why it is important to consider a phishing-resistant solution for MFA, such as the use of physical hardware keys.

Multi-factor authentication by default is unfortunately still not an industry standard - there are services that don’t offer it, and for those that do, users still have to navigate through complex security settings in their accounts in order to set it up.

Although any kind of MFA is better than having none, some forms are safer than others. For example, receiving codes via SMS is less secure due to security flaws in mobile networks and so-called “SIM swapping”, i.e. when an attacker gains access to a person’s phone number by tricking their mobile provider’s staff.

However, it should be noted that MFA is not a substitute for regular security training and awareness of threats such as ransomware. It is very important to build a positive, proactive security culture within your organisation with motivating and engaging training - you can improve digital security on both personal and organisational levels if you focus on all three domains of cybersecurity: people, processes, and technology.