New Year Security Resolutions: 10 Habits for 2026

A new year means fresh starts, ambitious goals, and the perfect opportunity to level up your security game. Whether you're a developer just starting to think about security or a seasoned professional looking to reinforce good habits, these ten resolutions will help you build a more secure 2026.

Unlike vague resolutions like "be more secure," each of these is specific, actionable, and designed to become a lasting habit. Let's dive in.

1. Use a Password Manager for Everything

If you're still reusing passwords or keeping them in a spreadsheet, 2026 is your year to change. Password managers like 1Password, Bitwarden, or even the built-in options in your browser eliminate the cognitive load of remembering unique passwords for every service.

The habit: Every time you create a new account, generate a random password with your manager. Every time you find an old account with a weak password, update it. By the end of Q1, aim to have zero reused passwords.

Pro tip: Share your password manager with family members. Most breaches start with a compromised family member's account that shares credentials with something you care about.

2. Enable Multi-Factor Authentication Everywhere

MFA is no longer optional. With credential stuffing attacks happening constantly, your password alone isn't enough. Start with your most critical accounts: email, banking, cloud providers, and source code repositories.

The hierarchy of MFA (from strongest to weakest):

Hardware keys (YubiKey, Titan) > Authenticator apps (Authy, Google Authenticator) > Push notifications > SMS codes. Avoid SMS when possible—SIM swapping attacks are real and increasingly common.

The habit: Spend one hour this week auditing all your accounts. Enable MFA on every service that supports it. Keep a hardware key on your keychain as your primary authentication method.

3. Review Code with Security in Mind

Code review is your first line of defense against security vulnerabilities. Yet most developers focus solely on functionality and code style. This year, add a security lens to every review.

Questions to ask in every review:

Does this code handle user input? If so, is it validated and sanitized? Are there any hardcoded secrets? Does this change affect authentication or authorization? Could this code be exploited if an attacker controls the input?

The habit: Create a security checklist template for your team's PRs. Require at least one security-focused comment on every pull request, even if it's just "No security concerns identified."

4. Keep Your Dependencies Updated

Supply chain attacks dominated headlines in 2025, and they're not slowing down. Outdated dependencies are one of the easiest attack vectors—and one of the most preventable.

Set up automated tooling: Dependabot, Renovate, or Snyk can automatically create PRs for dependency updates. Configure them to run weekly and prioritize security patches.

The habit: Dedicate the first Monday of each month to dependency maintenance. Review and merge security updates, audit new dependencies before adding them, and remove packages you no longer need.

5. Learn One New Vulnerability Class Per Month

Security is a broad field, and no one knows everything. Commit to learning one new vulnerability class deeply each month. By December, you'll have a solid understanding of 12 different attack vectors.

A suggested 2026 curriculum: January: XSS, February: SQL Injection, March: CSRF, April: IDOR, May: SSRF, June: JWT attacks, July: Deserialization, August: Race conditions, September: Prototype pollution, October: OAuth vulnerabilities, November: GraphQL attacks, December: AI/LLM security.

The habit: Set a calendar reminder for the first of each month. Spend that weekend reading about the vulnerability, then practice exploiting it in a CTF environment like AliceSec or HackTheBox.

6. Practice Threat Modeling

Threat modeling is thinking like an attacker before building your system. It's asking "what could go wrong?" systematically rather than hoping you've covered all the bases.

Simple threat modeling framework (STRIDE): Spoofing (can someone pretend to be someone else?), Tampering (can data be modified?), Repudiation (can actions be denied?), Information Disclosure (can secrets leak?), Denial of Service (can the system be crashed?), Elevation of Privilege (can users gain unauthorized access?).

The habit: Before starting any new feature, spend 15 minutes drawing a data flow diagram and walking through STRIDE for each component. Document your findings in the design doc.

7. Encrypt Sensitive Data at Rest and in Transit

HTTPS everywhere is table stakes in 2026. But encryption goes beyond just TLS—you need to protect data at rest in your databases, backups, and logs.

Quick wins: Enable disk encryption on all development machines. Use encrypted database columns for PII. Ensure your cloud provider's encryption-at-rest is enabled. Audit your logging to ensure sensitive data isn't being logged in plaintext.

The habit: When designing any data storage, ask: "What happens if this database is exfiltrated?" If the answer isn't "attackers get encrypted garbage," you have work to do.

8. Secure Your Development Environment

Your laptop is a high-value target. It contains source code, credentials, access tokens, and often direct access to production systems. Treat it accordingly.

Development environment security checklist: Full disk encryption enabled. Firewall enabled. Automatic screen lock after 5 minutes. No credentials in shell history. SSH keys protected with passphrases. Regular OS and software updates.

The habit: Run a security audit of your development machine this week. Use tools like Lynis (Linux/Mac) or Windows Security to identify and fix vulnerabilities.

9. Practice Incident Response

You don't want your first experience with a security incident to be a real one. Practice makes the chaos manageable.

Tabletop exercise ideas: What if your database is breached? What if a developer's laptop is stolen? What if you discover malware in a dependency? What if your cloud provider is compromised? Walk through each scenario with your team.

The habit: Schedule a quarterly incident response drill. Pick a scenario, set a timer for 30 minutes, and work through your response as a team. Document what worked and what didn't.

10. Share Your Knowledge

Security improves when knowledge spreads. Don't keep what you learn to yourself—share it with your team, your company, and the broader community.

Ways to share: Write internal documentation about secure coding practices. Give a brown bag lunch talk on a vulnerability you've learned. Contribute to open-source security tools. Write a blog post about a security concept.

The habit: Commit to one security knowledge-sharing activity per quarter. By the end of the year, you'll have made a meaningful impact on your organization's security culture.

Making It Stick

The difference between resolutions that stick and those that fade by February is specificity and accountability. Here's how to make these habits last:

Start small: Don't try to implement all ten at once. Pick three that resonate most and focus on those for Q1.

Track progress: Create a simple spreadsheet or use a habit tracking app. Visible progress is motivating.

Find accountability partners: Share your resolutions with colleagues. Better yet, make them team goals.

Celebrate wins: When you catch your first vulnerability in code review or successfully respond to a drill, acknowledge it. Security work often goes unnoticed—make sure to recognize progress.

Conclusion

Security isn't a destination—it's a practice. These ten resolutions aren't about achieving perfect security (which doesn't exist) but about building habits that continuously improve your security posture.

Start with one habit. Master it. Add another. By the end of 2026, you'll be surprised how much your security mindset has evolved.

Here's to a more secure 2026. Happy New Year!