Gonna put these quick’n’dirty then a little wordier:
- Hide your screen
- Use a password manager
- Don’t use a personal address or phone number for work stuff
- MFA MFA MFA†
- No MFA by text
- All passwords are different and long and random and unmemorable
- All passwords go in the password manager
- Never share logins
- If something looks suspicious, it is
Now longer:
- Always assume your screen is being viewed by someone else unless you are taking active measures to prevent that. Shoulder-surfers are a real and present danger. Never reveal a password onscreen or type your passcode unless you are certain no one can see
- Always sign up for work-related services using your @yourworkdomain.com email address
- Always use multi-factor authentication† via an authenticator app. If you use a password manager (you use a password manager, right?) then using it for MFA is likely your best choice, but if someone on your team ends up using another one, that’s totally fine.
- Never choose to receive MFA via SMS text or a mobile number
- Always use a password generated by your password manager
- Never share login information with anyone, including the boss. If the boss asks, it should be to test the user’s security acumen.
- Always assume that if something looks suspicious, it is. Otherwise put, careful what you click. AI-generated spam and deep-fake voices are real and cheaply-accessible things now, and people are getting scammed constantly. Real communication looks and feels real, and most importantly, is verifiable by a real person.
†It is known by many names so I list them. These all refer to the same fundamental idea: two-factor authentication, multi-factor authentication, 2FA, MFA, one-time password, time-based one-time password, OTP, TOTP