Best Practices for Maintaining Strong Passwords
Written By: Dan Hernandez
Passwords are the keys to our digital lives, but weak passwords can expose accounts and data to compromise. Let’s learn essential tips for proper password hygiene to secure your organization. Weak, reused passwords are behind 81% of data breaches. Applying password best practices is critical for security.
1. Use a Password Manager
A password manager stores unique, complex passwords for all your accounts in an encrypted vault.
The Importance of Password Managers
A dedicated password manager application is vital for managing passwords securely across all online accounts. Password managers provide a number of key benefits:
Convenient access to strong unique passwords - The password manager securely stores complex random passwords for each account in an encrypted vault. Users only have to remember one master password to unlock the vault.
Password auto-fill and capture - Managers can automatically fill in login credentials on websites and apps secured behind them. New passwords are also auto-captured and stored when creating accounts.
Password strength generation - Built-in password generators instantly create long, random, and complex passwords that are virtually impossible to crack.
Cross-device syncing - Cloud-based syncing enables access to the password vault on all registered mobile and desktop devices. Passwords can be accessed on-the-go.
Reduced password reuse - With unique passwords for each account, the threat of credential stuffing attacks is greatly minimized. A breach on one service doesn't compromise others.
Security alerts - Password managers warn against reused or weak credentials, alert on breaches, and provide security advice specific to each site and app.
Leading password managers like Keeper, Dashlane, and 1Password incorporate these features with advanced security protections like zero-knowledge encryption to prevent unauthorized access.
2. Go Long and Strong
Length and complexity together make passwords difficult for cybercriminals to crack through brute force. Some tips for creating strong passwords:
Set a minimum 12 character length, longer is better. Short passwords get cracked quickly regardless of complexity.
Include a truly random mix of upper and lower case letters, numbers, and symbols. Avoid predictable patterns.
Avoid basing passwords on personal information, common words, or consecutive keyboard patterns that are easy to guess.
Consider using passphrases by combining multiple words together with added complexity. This creates long yet easy to remember passwords.
Use random password generators like those built into managers to effortlessly create passwords that are long and complex.
Never reuse the same password across multiple accounts. Unique passwords protect against credential stuffing.
Change passwords periodically and avoid past passwords. Stale credentials are goldmines for hackers.
With strong unique passwords for each account, enabled by the convenience of password managers, users can confidently protect their online identities and data.
3. Avoid Common Pitfalls
Weak, reused, and compromised passwords are behind the majority of cybersecurity incidents. Organizations should educate employees to avoid these unsafe practices:
Password reuse
Password reuse across multiple accounts and sites. When one password is leaked or cracked, attackers gain access to all accounts protected by that same password.
Short, simple passwords
Using simple, short, or guessable passwords based on names, dictionary words, common phrases, keyboards patterns, dates, etc. These are easily brute forced or cracked with password guessing tools.
Using Personal information
Incorporating personal facts like addresses, phone numbers, or birthdates into passwords. This information is discoverable through social engineering or public sources.
Physical versions
Writing passwords down and storing them in insecure physical locations like under keyboards or desk drawers where they can be easily stolen.
Never changing passwords
Failing to change default passwords that come preset on new devices and accounts. Default passwords are widely known in hacker communities.
Small changes
Making only minor changes to the same root password across accounts through techniques like leet speak, capitalization changes, appending digits, etc. Password spraying can guess these.
All accounts matter
Using shorter passwords for less important accounts. Compromise of any password jeopardizes all accounts if password reuse is practiced.
Organizations should establish and enforce strong password policies. Multifactor authentication provides an added layer of protection. Password managers encourage unique, complex passwords for all accounts.
4. Enable Multi-Factor Authentication
As the digital landscape becomes more complex and cyber threats more sophisticated, relying solely on passwords for account security is increasingly inadequate. Multi-Factor Authentication (MFA) serves as an essential upgrade to cybersecurity protocols. By requiring multiple forms of verification, MFA makes it much harder for unauthorized users to gain access to critical information or systems. Here's an in-depth look at why enabling MFA is crucial and how it can be implemented effectively.
The Mechanics of MFA
The primary goal of MFA is to add an additional layer—or layers—of security that makes it exponentially more difficult for unauthorized users to gain access to an account or system.
Mechanisms
Something You Know: This is usually the password or PIN number. This layer is something that the user has committed to memory.
Something You Have: This could be a smartphone where a code can be sent, or a hardware key that needs to be inserted into the computer.
Something You Are: This is a biometric form of identification like a fingerprint, facial recognition, or even retinal scans in more advanced systems.
Types of MFA Credentials
Password and One-Time Code
How It Works: Upon entering the password, a one-time code is generated by an authenticator app or received via SMS, which needs to be entered to gain access.
Best For: Online accounts, cloud services, and internal systems where an additional layer of security is needed.
Password and Biometric Verification
How It Works: After entering the password, the user must authenticate their identity through a fingerprint scan or face ID on compatible devices.
Best For: Mobile devices and high-security environments where you want to ensure that the person logging in is definitely the account owner.
Implementation Steps
Require MFA Across Employee Accounts
Policy Creation: Formulate a company-wide policy requiring the use of MFA for all employee accounts.
Technology Selection: Choose the types of MFA that best suit your organization's needs—be it app-based, SMS-based, or biometric.
Employee Training: Educate employees on how to set up and use MFA, emphasizing its importance for cybersecurity.
Enable MFA on All Systems
Inventory: Take stock of all the systems your organization uses that support MFA and enable it.
Third-Party Services: Ensure that MFA is enabled for third-party services where employees may have accounts tied to work.
Regular Audits: Periodically review the systems and accounts to ensure that MFA is active and functioning as intended.
In today's cybersecurity landscape, MFA is not a luxury or an optional feature; it's a necessity. By requiring multiple forms of authentication, you significantly reduce the risk of unauthorized access, thereby safeguarding both individual accounts and organizational systems. MFA acts as a robust security net, catching unauthorized attempts to access sensitive data and keeping your digital environment secure.
5. Educate Employees
With rising phishing threats, employees present a major password vulnerability. Educate staff on:
The security landscape is constantly evolving, with new threats and vulnerabilities emerging almost daily. While technological solutions like firewalls and antivirus programs are essential, the human element remains a critical yet often overlooked aspect of cybersecurity. Employees, if uneducated about best practices, can inadvertently become the weak link that exposes an organization to cyber threats. A well-rounded approach to cybersecurity involves equipping staff with the knowledge and tools to act as a robust last line of defense.
1. Identifying and Reporting Phishing Emails
The aim is to empower employees to recognize and report phishing emails, which often act as the initial entry point for larger cyberattacks.
Action Steps
Training Modules: Use interactive training modules to teach employees the tell-tale signs of phishing emails, such as unusual sender addresses, spelling errors, and unsolicited attachments.
Reporting Protocols: Establish an easy-to-use reporting mechanism for employees to flag suspected phishing emails to the IT department for further investigation.
2. Proper Password Hygiene
To foster a culture where strong, unique passwords are the norm, and enabling Multi-Factor Authentication (MFA) is standard practice.
Action Steps
Guidelines: Provide clear guidelines on what constitutes a strong password, emphasizing the importance of complexity and uniqueness.
MFA: Make it mandatory for employees to set up MFA where possible, adding an extra layer of security to their accounts.
3. Use of Approved Corporate Password Managers
To ensure that employees are storing their credentials in a secure and organized manner, mitigating the risk of password leaks.
Action Steps
Approved List: Share a list of company-approved password managers that meet the organization's security standards.
Training: Conduct periodic training sessions to show employees how to use these password managers effectively.
4. Strong Password Creation Best Practices
To encourage the creation of passwords that are both secure and manageable, making it difficult for attackers to crack them.
Action Steps
Educational Content: Distribute cheat sheets or infographics that outline the elements of a strong password.
Regular Audits: Use automated tools to periodically check the strength of employees' passwords and prompt them to make changes if necessary.
5. Reporting Compromised Accounts or Suspicious Activity
To set up a quick and efficient response system for situations where an employee believes their account has been compromised.
Action Steps
Immediate Reporting: Create a straightforward reporting channel, such as a dedicated email address or hotline, where employees can report security incidents.
Incident Response Team: Assign a specialized team to handle these reports and initiate immediate remedial actions.
Ongoing education is the cornerstone of this cybersecurity approach. Regularly updated training sessions, periodic reminders, and even simulated phishing exercises can keep employees alert to the ever-changing landscape of cyber threats. It's not just about preventing a single incident but about instilling a culture of continuous vigilance. By doing so, employees become an asset in your cybersecurity strategy, rather than a liability. This proactive stance is more than just a best practice—it's an essential component of modern cybersecurity.
6. Conclusion
As cyberattacks become more advanced, maintaining password security is crucial. Applying password best practices like unique passphrases, password managers, MFA, and user education provides important protection for defending data and accounts against compromise.
Strengthening authentication through robust passwords and multi-factor reduces organizational risk while preventing unauthorized access. On World Password Day and beyond, put these password tips into practice across your systems and users to bolster your cyber defenses.
7. FAQs
1. How often should passwords be changed?
For maximum security, passwords should be unique per account and changed immediately in the event of any potential compromise. Mandating regular password changes every 60-90 days was once common but is no longer considered a best practice.
2. Should users be required to use special characters in passwords?
Special characters can enhance complexity, but length is much more important than arbitrary complexity rules. Focus first on increasing length, avoiding common words, and mandating 2FA for stronger account security.
3. What is the bare minimum length for relatively secure passwords?
At minimum, 8 character passwords are recommended. But 12+ characters is ideal and significantly more resistant to guessing and brute force attacks.
4. How can organizations detect compromised credentials?
Monitoring systems for anomalous logins and integrations with identity management systems can detect compromised credentials in use so they can be reset immediately.
5. Should passwords be masked when entering?
Yes, password fields should mask entry by default to prevent password exposure through over the shoulder snooping. But passwords should be unmasked for brief visibility during entry to avoid typos.
PCS is a world-class leader in protecting data & identity for businesses and non-profits. We provide a critical service to businesses and non-profits by managing cybersecurity risks, including ransomware, crypto walkers, phishing emails, and other evolving cyber crimes. See how IT services can benefit your company.