Are You Following These Password Security Best Practices?
Let’s face it—at some point, we’ve all been guilty of using “123456” as a password. Or at least 24% of us have been, according to online password statistics that claim it’s the most common password in the world. Although today’s IT security landscape is layered and multi-faceted, passwords still remain our first line of defense against unauthorized access to our information. Let’s dive into better understanding their importance.
Why Strong Passwords are So Critical
As data breaches and cybersecurity incidents proliferate, it’s critical for individuals and organizations to understand and adhere to a set of key password management principles that will protect your information from falling into the wrong hands. Verizon’s 2022 Data Breach Investigations Report revealed that weak or stolen passwords are to blame for 81% of all data breaches—a staggering number that further adds emphasis to maintaining strong password management policies.
But why are our passwords so weak in the first place? It’s no wonder we bend the rules when the average person is juggling between 70-80 passwords. Between all the apps, online accounts, banking profiles, membership subscriptions and more, it’d be nearly impossible to have unique, complex and ironclad credentials managed solely by memory. That’s why taking the risk of human error out of the fold by leveraging technology is at the core of our password management principles.
The Six Password Management Principles
1) Use Strong and Unique Passwords
There are two components to this principle. First, a strong password is one that is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols. At all costs, avoid using easily guessable information such as your name, birthdate, pet's name or easy-to-repeat keyboard combinations. You might think you’re being crafty in doing so, but take a look at the keyboard patterns of the world’s 10 most common passwords:
123456
123456789
Qwerty
Password
12345
Qwerty123
1q2w3e
1234 5678
111111
1234567890
The second component here is having unique passwords. According to Dataprot, 51% of people have the same password for their work and personal accounts. If a hacker gains access to credentials for one of your accounts and you use the same password across profiles, imagine how easy it becomes for them to exploit your information. From a corporate security perspective, this is a major risk—once a threat actor is inside a network, it becomes much easier for them to move laterally with malicious intent.
2) Enable Two-Factor Authentication
Two-factor authentication adds an extra layer of security to your accounts by requiring a second form of identification, such as a fingerprint or a code sent to your phone. This makes it much harder for hackers to gain access to your accounts, even if they have your password. According to Microsoft, MFA blocks 99.9% of all password safety issues. Long story short? Run, don’t walk if your organization has yet to implement it!
3) Use a Password Manager
A password manager is a tool that stores your passwords in an encrypted database that can be accessed with one master password. This allows you to use strong, unique passwords for each account without the hassle of remembering them all. While studies show that 65% of Americans don’t trust password managers for fear of hackers gaining access, credible password managers like 1password and Bitwarden are known for their strong encryption and security management practices.
4) Update Your Passwords Regularly
It’s known that less than one third of internet users update their passwords annually. Even if you have strong passwords, it's recommended that you update them regularly—especially for accounts that contain sensitive information like your corporate passwords or banking credentials. Aim to update your passwords every 3-6 months as a best practice.
5) Be Careful When Sharing Passwords
To put it plainly, it’s never a good idea to share your passwords with anyone—even friends or family members, and especially colleagues. If you need to share an account with someone, create a separate login for them instead of giving them your password.
Furthermore, always be wary of phishing scams that may ask for a password. Legitimate companies, customer service departments, and even your corporate IT team will never ask you to share your password via email or phone. When in doubt, deny.
6) Use Security Questions Wisely
Many websites use security questions to help you recover your account if you forget your password. However, these questions often ask for personal information that is easily accessible online, such as your mother's maiden name or the name of your high school. Instead, create your own security questions and use fake or intimate answers that only you can know.
Looking for more IT security tips for your team?
Head to our blog for regular IT security updates that you can share with your team to educate and inform. Here, we cover topics from phishing to tips on avoiding data breaches that you can tune into as part of your regular security hygiene.