Passwords are the key to your digital life. And chances are, you’ll find yourself juggling multiple passwords throughout the day.
Creating and managing strong passwords amidst rising cyber threats is daunting and sometimes inconvenient. Fortunately, there are best practices you can follow to make your passwords as secure as possible.
By using strong, unique passwords and changing them regularly, employees can significantly reduce their risk of falling victim to cyber threats such as brute force attacks, credential stuffing, and dictionary attacks.
Based on expert advice and National Institute of Standards and Technology (NIST) guidelines, here are the most effective strategies for password management in 2024.
Password Management Best Practices for 2024
A surprising number of people don't put effort into password hygiene, even when these passwords safeguard sensitive information. To help you fortify your cybersecurity posture, here are a few password best practices for 2024:
Implement Multi-Factor Authentication (MFA)
In today's digital age, passwords alone are no longer sufficient to protect against threats. Cybercriminals use techniques like credential stuffing, where they use stolen account credentials to gain unauthorized access to user accounts, and brute-force attacks, where they attempt to guess a user's password until they get it right.
Using multi-factor authentication (MFA) ensures that, even if a malicious actor obtains access to your account, they will still need a second form of authentication in order to gain entry. MFA requires users to provide two or more verification factors to access a website or application. It combines at least two of the following categories:
- Something you know (password or PIN)
- Something you have (smartcard or mobile device)
- Something you are (biometrics, like a fingerprint or voice recognition)
Many platforms that require a login, such as email accounts and CRMs, have the option of implementing MFA in the settings. Using MFA ensures only people who are meant to have access can get it.
Don't Repeat or Cycle Through Passwords
A surprising number of people reuse passwords regardless of the risks. Microsoft revealed that 73% of users have the same password for work and personal accounts. This is a significant issue because all it takes is an unsecured personal account getting hacked for the hacker to pose a potential threat to the company.
Similarly, cycling between a handful of passwords can leave a user vulnerable to hackers. Each time you create or update a password, it should be completely new.
Password Generator Tool
Use this helpful tool to automatically generate secure random passwords. Learn More →
Change Passwords When Employees Leave
Businesses must establish protocols for managing passwords when an employee departs, including resetting shared passwords and ensuring all individual access rights are revoked.
Changing passwords ensures disgruntled ex-employees can't access systems or data with remembered or written-down passwords. Even if employees leave on good terms, their retained access could pose a threat. For instance, if their personal systems are compromised, so too could the company systems they still have access to.
Don't Write Down Passwords
Writing down your password is equivalent to turning your home security alarm off and leaving your door unlocked. It’s a welcome invitation for bad actors to use your login credentials without your consent. No matter how strong your password is, it's no longer secure if it can be copied.
If remembering passwords is an issue, there are more effective and secure alternatives than writing them down. For instance, a password manager acts as a digital safe for passwords and usernames, which employees can access when they forget a password. When password management tools are easy to use, the end-user adoption rate will likely be higher.
Never Share Passwords
It's simple, sharing your password (especially when many use the same password for personal and work) compromises every account with that password. Though this may be inconvenient for employees who work on teams together, it’s less inconvenient than having passwords stolen and being locked out of portals.
Create a Password Blacklist
A password blacklist is a collection of weak passwords that shouldn't be used. Make a list of these blacklisted passwords and share copies with every employee. Passwords that should be included on the password blacklist include:
- Common passwords such as Password, 1234, qwerty, and other similar phrases
- Passwords that are too closely linked to a company’s name, address, or similar easily found information
- Passwords or phrases that include employees’ personal information such as phone numbers, birthdays, kids’ names, etc.
Educate Employees Regularly
Regularly educating employees on password best practices is vital to maintaining a strong cybersecurity posture. It helps prevent unauthorized access and data breaches by ensuring employees know how to create unique passwords and understand the importance of regularly updating them. Regular education also equips employees with the knowledge to recognize and avoid potential phishing attempts or other cyber threats that target user credentials.
4 Common Password Mistakes to Avoid
Along with implementing the above password best practices, it’s important to avoid some of the common password mistakes that many employees make.
1. Don't Use Common Words or Numbers
Creating a password using common words or strings of numbers is one of the easier ways to have your password hacked and stolen. Here are a few examples:
- password or password1
- 123456 (123456789 is equally insecure)
2. Don't Use Information Found Online
Most people use readily available information for their passwords, such as birthdays, anniversaries, and kids’ and pets’ names, meaning that with a little research, only a few simple guesses can crack most people's passwords.
The problem is that hackers expect many people to use very common passwords like meaningful names and numbers to help with recall. These words and number strings are too obvious to be secure and are very easy for hackers to figure out. It only takes a glance at your social media profile to gather basic information, so come up with something not readily available.
3. Not Using a Combination of Upper and Lowercase Letters, Numbers, and Symbols
Mixing uppercase and lowercase letters, numbers, and symbols is a good way to create complex passwords when combined with other best practices.
Remember that hackers know that letters and numbers are commonly switched, so don't assume implementing this one tip without the others is enough to secure your password.
4. Don’t Use a Password, Use a Passphrase
A passphrase is a sequence of words that creates a phrase. Passphrases, like passwords, can include symbols and numbers and usually have spaces. For example:
- 2 be or not 2 be, that is the ?
- I love 2 eat ice-cream!
Princeton's Department of Computer Science recommends that passwords are a minimum of 20 characters in length and that they comprise a minimum of two character sets (letters, numbers, and special characters).
Keeping Passwords Protected In and Out of The Workplace
With cyber threats evolving at a rapid pace, traditional methods of password creation and storage no longer suffice. A good rule of thumb is that if it's easy for you to remember, it’s not a secure password.
By establishing stricter password guidelines and educating employees on best practices to minimize potential password risks, employers can help protect their network and sensitive information, plus keep their employees safe whether in the office or working remotely.
Get in touch to find out how SymQuest can help you create a comprehensive corporate password policy and a robust employee cybersecurity training program for your organization.
Editor's Note: This post was originally published on October 27, 2020, and has been updated for accuracy and current best practices.