Nearly the whole lot about passwords is inconvenient, from creating them to remembering them to utilizing them. And we’ve not even talked about securing them but.
Sadly, malicious hackers are password fanatics. Weak passwords make all of it too straightforward for an attacker to get a foot within the door.
Good password hygiene — creating robust passwords and managing them successfully — is a crucial a part of cyber hygiene and enhancing a corporation’s total cybersecurity posture.
Contemplate the next finest practices to assist elevate the bar on password safety and scale back cyber-risk.
1. Overlook complexity, use lengthy passphrases as a substitute
The widespread thought for years was that lengthy, advanced and difficult-to-remember passwords — corresponding to N#JlwB%”+30~Qjok;4=8)F — have been the perfect ones. Seems, a couple of phrases strung collectively as a passphrase could be even stronger. Passphrases are additionally simpler to recollect, so customers are much less more likely to write them down. Contemplate creating passphrases with a mixture of uppercase letters, lowercase letters and particular characters.
Get recommendation on the way to create a powerful passphrase.
Organizations ought to set parameters for acceptable passwords and use an enterprise password blocklist to forestall workers from utilizing passwords, passphrases and password combos, corresponding to Password1 and 123456, which can be weak and simply guessed.
2. Do not reuse passwords
Whether or not workers are utilizing a password or passphrase, a essential a part of password hygiene is utilizing a novel one for each login account. You learn that appropriately: each single one.
Whereas it is tempting to reuse a favourite password, doing so creates big publicity. In accordance with the “2025 SpyCloud Identification Publicity Report,” 70% of the accounts breached in 2024 used compromised credentials throughout a number of accounts.
If attackers compromise a person’s password on a procuring website, they then have their login credentials for each website the place that password was used. That is particularly problematic when workers reuse passwords throughout private and company accounts.
3. Use a password supervisor
Having a novel password or passphrase for each login means numerous passwords. In accordance with the latest NordVPN analysis, the common worker has 87 business-related passwords, on prime of 168 passwords for private accounts.
Except workers have excellent reminiscences, chances are high they want one thing to assist them keep in mind these advanced passwords and passphrases.
Advise workers to by no means write passwords down on a sticky word or save them in a file on their desktop. As a substitute, present an enterprise-grade password supervisor. These safe functions retailer all distinctive passwords and generate new ones as wanted. Most password managers can sync throughout a number of units, so customers are by no means with out an necessary password after they want it. One other nice function is web site verification. If a person clicks a phishing hyperlink and connects to B0x.com as a substitute of the company occasion of Field, the password supervisor will not autofill their password.
4. Do not share passwords
It ought to go with out saying however bears fixed repeating: By no means share passwords with coworkers, household or pals.
A 2025 Password Supervisor survey discovered that 27% of customers have shared their present work passwords with folks exterior of their firm, and a 2024 CyberArk survey discovered that 30% of workers have shared their passwords with present colleagues.
Sharing passwords exposes customers and organizations to identification theft, knowledge breaches, compliance points, account compromise and knowledge loss.
5. Evaluate cycle frequency
For years, it was really useful that customers change their passwords each 90 days. For some use instances, that is nonetheless a great rule of thumb. For instance, if an organization makes use of single sign-on coupled with MFA, 90 days often is the candy spot. Firms with passwordless authentication would possibly decide annual password and passphrase adjustments are sufficient. In high-sensitivity use instances, 30 and even 15 days could possibly be the precise time-frame.
An important half is to use governance practices and work with the enterprise to find out the perfect password change cycle for the group, as a part of a broader enterprise password coverage.
All this mentioned, if a corporation believes customers’ passwords have been compromised, it ought to require all workers to alter their passwords instantly, no matter cycle frequency.
6. Undertake MFA
Enabling and implementing MFA is crucial. If a corporation requires MFA and an attacker will get an worker’s credentials, the attacker will not have speedy entry to the account.
MFA is so simple as workers receiving a one-time password on their cellular system or auto-filling an OTP from their password supervisor. Most organizations, corresponding to banks, well being methods and repair suppliers, together with Microsoft and Google, supply MFA freed from cost for each private {and professional} accounts.
7. Domesticate safety consciousness
Enterprise safety consciousness coaching can go a good distance towards selling password hygiene. Embody the next password-related finest practices in enterprise trainings:
- By no means hook up with unsecured networks. Unsecured networks, corresponding to public Wi-Fi, may appear helpful, however they’re additionally doubtlessly house to attackers seeking to steal customers’ credentials utilizing man-in-the-middle assaults, packet sniffing and session hijacking.
- Solely go to safe web sites. All the time test the legitimacy of a URL earlier than visiting it. Attackers create faux web sites that mimic actual ones. Test for misspellings, suspicious further phrases and strange characters. Bear in mind, attackers may even spoof HTTPS, which many individuals use to point a safe website. Use a web-based URL checker to validate URL authenticity and allow MFA wherever doable for an additional layer of safety.
- Discover ways to spot phishing assaults. Attackers use phishing and social engineering scams that comprise false password requests to trick customers into inadvertently sharing their passwords. Be taught the way to spot these makes an attempt. Additionally, inform workers that whereas the group has e mail safety controls in place, they don’t stop each phishing e mail from making it to their inboxes. Likewise, pay attention to vishing, smishing and deepfake assaults seeking to compromise credentials.
- Comply with enterprise password restoration procedures. If customers neglect their passwords, inform them to comply with enterprise password restoration insurance policies. This might embrace utilizing OTPs or safety questions. Organizations ought to by no means use safety questions primarily based on easy-to-guess or publicly accessible info, such because the person’s maiden title or kid’s title. All the time make password restoration insurance policies accessible to all workers and guarantee they perceive them.
- Perceive enterprise account lockout insurance policies. Organizations use account lockout insurance policies to forestall authentication-based assaults. Such insurance policies stop customers from making login makes an attempt for sure intervals of time after a set variety of failed tries. All the time make account lockout insurance policies accessible to all workers and guarantee they perceive them.
- Know when to name IT. Final however actually not least, inform workers to inform their supervisor and the IT division if they think their credentials have been compromised.
Sharon Shea is government editor of Informa TechTarget’s SearchSecurity website.
Diana Kelley is a accomplice at SecurityCurve, a consulting, analysis and training firm.
