Secure your passwords

Once you’ve created a strong password, follow these guidelines to keep it secure:

Don’t share a password with anyone. Not even a friend or family member.

Never send a password by email, instant message, or any other means of communication that is not reliably secure.

Use a unique password for each website. If crooks steal your account information from one site, they'll try to use those credentials on hundreds of other well-known websites, such as banking, social media, or online shopping, hoping you've reused the password elsewhere. That's called a "Credential stuffing attack" and it's extremely common.

If you don’t want to memorize multiple passwords, consider using a password manager. The best password managers will automatically update stored passwords, keep them encrypted, and require multi-factor authentication for access. 

It's ok to write your passwords down, as long as you keep them secure. Don't write them on sticky notes or cards that you keep near the thing the password protects, even if you think they're well-hidden.

Or just a hint...

Rather than writing down your password, consider writing down a hint that reminds you of what the password is. So if your password is "Paris4$pringVacation" you could write down "Your favorite trip."  

Change passwords immediately on accounts you suspect may have been compromised.

Enable multifactor authentication (MFA) whenever available. MFA requires more than one kind of credential to sign into an account — such as requiring both a password and a one-time code generated by an app. This adds another layer of security in case someone guesses or steals your password. 

Tip: If you’re asked to create answers to security questions, provide an unrelated answer. For example, if the question is "Where were you born?" you might answer "Green." Answers like these can’t be found by trolling Twitter or Facebook. (Just be sure they make sense to you, so you'll remember them.)

Don’t be tricked into revealing your passwords

Criminals can try to break your password, but sometimes it’s easier to exploit human nature and trick you into revealing it. 

If you receive an email message that appears to be from an online store (like eBay or Amazon) or a phone call from your “bank” that tries to convince you of the “legitimate” need for your password or other sensitive information, it could be a phishing scam.

Here are some guidelines to follow to protect your passwords and other sensitive information:

Be wary of anyone who is requesting sensitive info from you, even if it appears to be someone you know or a company you trust. For example, a crook may have hijacked a friend’s account and sent email to everyone in the friend’s address book. Treat all unexpected requests for sensitive info with caution.

Never share your password in response to an email or phone call — for example, to verify your identity — even if it appears to be from a trusted company or person.

Always access websites using trusted links. Scammers can copy the look of a company’s communications to fool you into clicking a phony link or attachment, so use caution with links that appear in unsolicited emails, social media, or SMS messages.

If in doubt, go directly to the official website of the bank or other service you’re trying to access using your own bookmark or by typing the legitimate address of the service yourself.

Above info courtesy Microsoft.

Good point Dave.