Securing my device
Knowing that threats exist is only half the picture. This topic covers the practical actions users take to harden their devices against those threats — from creating strong passwords to choosing the right wireless encryption protocol.
Security as a set of habits
Device security is not a one-time event — it is a collection of ongoing habits. A strong password created once but reused everywhere, or a VPN turned on occasionally, provides far less protection than consistent application of security practices across all accounts and situations.
This topic provides the concrete actions, thresholds, and reasoning behind each security practice so you can apply them reliably and explain why each one matters.
What this topic covers
- › 1.4.A — Password security: complexity, length, lockout, and passphrases
- › 1.4.B — Anti-phishing habits and secure connection practices
- › 1.4.C — Device security controls: screen lock, MFA, updates, and permissions
- › 1.4.D — Wireless security: encryption standards, SSID, and router configuration
Password security
Passwords remain the most common form of authentication, and weak passwords are among the most exploited vulnerabilities. Understanding what makes a password strong — and what makes it weak — is foundational to account security.
Complexity: the four character sets
A strong password draws from all four character types, expanding the pool of possible characters at each position and dramatically increasing the number of combinations an attacker must try.
Uppercase letters
A B C … Z
Lowercase letters
a b c … z
Digits
0 1 2 … 9
Special characters
! @ # $ % ^
Length: more characters, more combinations
Each additional character multiplies the number of possible passwords exponentially. A minimum length requirement is a baseline — longer is always better. This is why passphrases are effective: a sequence of several random words creates a very long password that is also easier to remember.
Example passphrase
"River-Cloud-Maple-Seven"
Long, unrelated words — easy to remember, extremely hard to guess
Avoid in passwords
- › Common words: "password," "admin," "welcome," "letmein"
- › Personal information: your name, pet's name, birthdate, username, or phone number
- › Predictable patterns: "Password1!", "abc123!", substituting "@" for "a"
- › Reused passwords across multiple accounts
Account lockout policies
An account lockout policy locks the account after a defined number of consecutive failed login attempts — typically 3 to 5. This prevents brute-force attacks by stopping repeated automated guessing before the attacker reaches the correct password.
Use unique passwords for every account
If the same password is used across multiple accounts and one site is breached, all accounts sharing that password are immediately at risk through credential stuffing. A password manager solves the management problem by securely storing unique credentials for every account, requiring only one master password to access them.
Anti-phishing habits and secure connections
Good security requires good habits — patterns of behavior that reduce risk across every interaction, not just during obvious attacks.
Anti-phishing habits
- › Verify the sender's email address before acting on any request, especially for credential input or wire transfers.
- › Hover over links to preview the actual destination URL before clicking.
- › Contact organizations directly using a trusted phone number or the official website — never through a link or number in the suspicious message.
- › Recognize urgency as a red flag — phishing messages often pressure users to act immediately to bypass their judgment.
Secure connection practices
- › Use a VPN on public Wi-Fi networks to encrypt all traffic between your device and the VPN server, preventing eavesdropping.
- › Avoid public Wi-Fi for sensitive tasks when possible — prefer mobile data or a VPN-protected connection.
- › Use HTTPS sites — look for the padlock and "https://" prefix to ensure the connection between your browser and the server is encrypted.
Device security controls
Beyond passwords, several device-level settings and habits directly reduce attack surface and limit damage if credentials are compromised.
Software and firmware updates
Updates patch known security vulnerabilities in the operating system, applications, and device firmware. Enable automatic updates to minimize the time between a vulnerability disclosure and your protection from it. This applies to routers and IoT devices as well.
Multi-factor authentication (MFA)
MFA requires a second form of verification beyond the password — such as a code from an authenticator app, a biometric, or a hardware key. Even if a password is stolen through phishing or a breach, an attacker cannot access the account without the second factor.
Screen lock
Setting a screen lock (PIN, password, or biometric) and enabling automatic lock after a short period of inactivity prevents unauthorized access to an unattended device. If a device is lost or stolen, the screen lock is the primary barrier preventing attacker access to all stored data and accounts.
Disable auto-connect
Devices that automatically connect to previously joined networks can be tricked into connecting to a malicious hotspot using the same name as a trusted network. Disabling auto-connect, especially to public networks, ensures users make a conscious decision each time.
Disable unused app permissions
Applications often request permissions exceeding what their stated function requires — access to the microphone, camera, contacts, or location. Granting unneeded permissions expands the potential damage if the app is malicious or compromised. Disable permissions that the app does not functionally need.
Change default credentials
Routers, smart home devices, IP cameras, and other networked devices ship with known default usernames and passwords. Attackers routinely attempt these defaults. Change the admin password immediately after setup, and set a unique strong password for each device.
Wireless network security
Your wireless network is the gateway to all devices in your home or office. Securing it with strong encryption, unique credentials, and proper configuration closes some of the most commonly exploited entry points.
Wireless encryption standards
Encryption protects data transmitted over the air between devices and the access point. Not all standards offer equal protection — some are fundamentally broken and should be disabled entirely.
WPA3
Recommended. Strongest available protection against offline dictionary attacks and eavesdropping.
WPA2
Minimum acceptable. Adequate when WPA3 is unavailable, but weaker than WPA3 against offline attacks.
WPA (original)
Insecure. Do not use. Has known vulnerabilities that allow traffic to be decrypted.
WEP
Insecure. Do not use. Can be cracked in minutes with freely available tools.
SSID configuration
- › Use a unique SSID. Default SSIDs reveal the router manufacturer and possibly the model, allowing attackers to look up known vulnerabilities for that device.
- › Pair it with strong authentication. An SSID alone tells an attacker the network name — it is the password and encryption that prevent them from joining.
Router and network configuration
- › Change default admin credentials immediately after setup — these are publicly documented for all router models.
- › Disable WPS (Wi-Fi Protected Setup) — its PIN mode has a well-known vulnerability that allows brute-force network access.
- › Use a long, complex, unique Wi-Fi password — all four character sets, well above the minimum length, not reused from other accounts.
Why disable WPS?
WPS has a design flaw in its PIN mode: the 8-digit PIN is verified in two halves, reducing the effective combinations to about 11,000. An attacker can brute-force this in minutes to gain full network access — regardless of how strong the Wi-Fi password is. Disabling WPS entirely removes this vulnerability.
Security checklist at a glance
Passwords and authentication
- › All four character types; exceeds minimum length
- › No personal info, common words, or predictable patterns
- › Unique password for every account
- › MFA enabled on all accounts that support it
- › Account lockout after 3–5 failed attempts
Device and network security
- › OS, apps, and firmware updated (auto-update enabled)
- › Screen lock active with short auto-lock timeout
- › Auto-connect to public networks disabled
- › App permissions limited to what each app actually needs
- › VPN used on public Wi-Fi; HTTPS verified for sensitive sessions
Wireless network
- › WPA3 encryption enabled (WPA2 minimum)
- › Unique SSID; default router credentials changed
- › WPS disabled
- › Strong, unique Wi-Fi password
Anti-phishing
- › Verify sender before acting on any request
- › Hover links to check actual destination
- › Contact organizations through trusted channels, not email links
Ready to practice?
Test your ability to apply password security guidelines, identify anti-phishing habits, select the right wireless encryption standard, and configure a device securely using the controls from this topic.