Published: May 1, 2026
Our bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.
Featured Cyber News — Protecting Your Accounts and Devices: Common Guidance on Passwords
Each year, World Password Day serves as a reminder to review how accounts and sensitive information are protected. Guidance from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) continues to emphasize strong, unique passwords and multi-factor authentication (MFA) as baseline security practices.
Today, most account compromises involve passwords that are stolen through phishing or reused across multiple accounts, which allows a compromised password to be used to access other accounts. Therefore, improving security requires more than updating password rules alone.
How Account Protection Is Evolving
Passwords remain a key part of protecting accounts but have limitations. Even strong passwords can be exposed through data breaches. Once a password is compromised, attackers can often use it across multiple accounts.
Recommended practices from NIST and CISA reflect the following layered approach and form the baseline for protecting accounts:
- Use strong, unique passwords for each account
- Enable MFA to add a second layer of verification
- Use a password manager to securely generate and store passwords
In addition to the above, password-free sign-in options, often called passkeys, are becoming more widely available. These allow users to sign in using device-based verification such as a fingerprint, facial recognition, or PIN. Because this method works only with the legitimate website or application, it helps prevent users from entering login information into fake websites while eliminating password reuse.
How Current Practices Are Enhanced
Beyond the baseline practices, current recommendations place greater emphasis on strengthening how access is verified to reduce the risk of account compromise.
These recommendations focus on the following:
- Prioritize password-free authentication, such as passkeys, where available
- Secure email accounts, which are commonly used for password resets
- Use stronger second factors, such as authenticator apps or hardware tokens, instead of SMS where possible
- Use a password manager to reduce password reuse and simplify credential management
- Use longer passphrases when passwords are required
These steps build on existing practices while reflecting a broader approach to protecting accounts for everyday use.
Practical Steps to Strengthen Account Security
Small businesses can take the following practical steps to strengthen account security.
- Review Password Practices: Ensure each account uses a strong, unique password. Avoid reuse, especially for critical accounts such as email and financial platforms. Where passwords are required, use longer passphrases.
- Enable MFA Across Key Accounts: Apply MFA wherever possible. Prioritize email, administrative, and financial accounts. Use stronger second factors, such as authenticator apps or hardware tokens.
- Use a Password Manager: Adopt a password manager to generate and store passwords securely and reduce reliance on memory.
- Consider Password-Free Options Where Available: Enable passkeys or similar options to simplify login and reduce exposure to password-based attacks.
- Stay Alert to Phishing: Train staff to recognize suspicious messages and avoid entering login information into unfamiliar or fake websites.
- Respond Quickly to Account Compromise: If an account may be compromised, change the password immediately, review reused passwords, and confirm MFA is enabled.
Conclusion
World Password Day highlights the importance of maintaining strong password practices as a foundation for account security. At the same time, current guidance reflects a broader shift toward strengthening how access is verified and reducing reliance on passwords alone. By applying these practical steps, small businesses can better protect their accounts.
The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving technology trends. We recommend you consider becoming an NCSS member to access a wide range of our services. For more information, visit our Small Business page.
References
https://nonprofitcyber.org/common-guidance-on-passwords/
https://www.staysafeonline.org/articles/password-managers
https://www.staysafeonline.org/articles/what-to-do-if-your-password-manager-is-breached
https://www.nytimes.com/wirecutter/reviews/password-manager-tips/
https://www.ncsc.gov.uk/news/ncsc-leave-passwords-in-the-past-passkeys-are-the-future
https://www.ibm.com/think/topics/phishing-resistant-mfa
https://uktechnews.co.uk/2026/04/21/tech-ceo-issues-urgent-advice-ahead-of-world-password-day/
About the NCSS
The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.
The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.