Password security is a major concern for companies, and one of the biggest challenges is getting employees to use better password hygiene. To strengthen security, you need to find practices that actually work for your employees. To make things easier, consider sharing these five recommendations to help them find the right security practices for any given situation: 1) use a disposable password, 2) use a password phrase, 3) use a password phrase that uses a pattern, 4) use a password phrase with two-factor authentication, 5) use password manager software with two- factor authentication.
“Use a strong password” is “wearing sunscreen” in the digital world: Everyone knows it’s good advice, but very few people follow it. Instead, they rely on passwords that are easy to remember, throwing away that “!” at the end of their secret word or put an “@” in place of the letter “a.” (It’s not for nothing that “[email protected]!” is the most popular password.) None of this, of course, reduces the stakes of a breach in most companies. The uncomfortable truth is that password security remains a common and underestimated concern. And for companies, one of the biggest challenges in strengthening their security is getting employees to practice better password hygiene.
The problem here is that human nature is complex. It’s not just that users don’t want to spend precious mental energy remembering unique and complex passwords for each account. Often, they try to avoid the feelings of frustration that accompany their failure to quickly recall information. Simple and familiar passwords are always better than complex and more secure. Unfortunately, the human factor in password security depends on what’s easy rather than what’s secure. May the password gods forgive us.
We see how it works. Despite knowing the risks of weak passwords, which are vulnerable to brute force attacks, and repeat passwords, people repeat. According to a 2019 Google poll, over 52% of users admitted to reusing passwords and approximately 13% admitted to using one password for all accounts. At the same time, 68% of password users admit that they reuse credentials because they are afraid of forgetting them; and 36% do not consider their accounts valuable enough to require stricter security measures.
So what can companies do? The good news is it’s not a question of choosing between gold standard security or nothing at all. Instead, companies must find the approach that works best for their people – and the employees to actually follow. Here are five recommendations that managers and IT departments can share with employees and teams to help them find – and use – the right level of protection in any situation.
Level One: The disposable password
A throwaway password is one used with a throwaway email address. If you have created an email address on the burner to use a free trial, the idea is the same. These single-use accounts are especially useful if you know that you will be immediately subscribed to an endless barrage of unappreciated sales emails for the rest of the account’s life (“unsubscribe” ones damn button). Insignificant passwords for these trivial accounts provide protection against their worthlessness. If (when) these passwords are stolen or these accounts are hacked, no critical information or passwords are lost. This hack will not put any critical accounts or passwords at risk.
For these accounts, you can use a password as simple as a word, a few letters, and a special character. Example: Frodo123! but do not use this password again with any other email account. Reusing a simple password across multiple platforms can be the kiss of death.
Second level: A set of passwords
Four or five character passwords, regardless of the combination of numbers, letters, or symbols, is equally weak. That’s why experts now recommend at least 12 character passwords. The problem is that no one likes to remember a set of long, complicated passwords. This is where password words come in.
A password is longer than a simple one-word password but is easy to remember. Most of us need to use password phrases instead of words to increase the character length, but it’s not something as simple as song lyrics (professional hackers continue this scheme a lot years). Using “everybreathyoutake,” “oopsididitagain,” or “igottafeeling” is practically asking to be hacked. Here’s a better example, which might work better for you Gen Xers: [email protected]$! Although these passwords are not the gold standard of good password management, they are useful for those who do not regularly use the good password hygiene outlined in higher levels of online protection.
Level three: A set of passwords that use a pattern
This is a password that can be included on different platforms, but this only different enough to allow that password to not be used twice. For example, if you have different social media accounts, you can use a word with color (and unique number/character pattern) in the accounts. For example: Instagram — [email protected]&8pm, Facebook — [email protected]&8pm, LinkedIn — [email protected]&8pm.
A word of warning: I work with organizations that require passwords to be changed every 90 days. In this case, I have seen individuals using four seasons to adjust the required update times. Example: “Spring2023!,” “Summer2023!,” “Fall2023!,” “Winter2023!.” Again, a professional hacker can crack this code within a minute. Use a combination that is specific to you — and only you (and stop using “!” too much — try using “+” or another less common symbol).
Fourth level: A password set with two-factor authentication
Two-factor authentication is recommended for more sensitive login accounts, such as banking information, work emails, and file sharing. It can rely on a confirmation text, email, biometric, or token, whether it’s a physical fob or an authentication system like Google Authenticator. By incorporating two-factor authentication along with a complex passphrase, you greatly reduce your chances of being hacked. While not perfect, two-factor authentication gives the user something that any security professional will tell you is worth it: It makes you a harder target, which usually means your adversary is more likely to move on to more vulnerable victims.
Level Five: Password manager software with two-factor authentication
Knowing that a complex passphrase combined with two-factor authentication is the best way to secure your login information, the problem remains of memorizing, recording, and/or sharing it. information. For this reason, it is recommended that organizations that share login information have employees use a password manager software, such as 1Password or Dashlane.
While still infallible, a password manager helps employees who may be practicing poor cyber hygiene prevent data from being accidentally leaked. It also allows for an immediate lockout of an employee who has just been terminated, without having to waste time with a general password reset of the organization.
Shared accounts have an inherent risk. Once you share a password with another person, Vulnerabilities increase and so does the possibility of being hacked. If you share a password, it should be changed at least every 90 days and when anyone with access to the password leaves your organization. Most large public and private organizations mandate this frequency of updating passwords. Just make sure to avoid the easily anticipated formats mentioned above (Spring2023!, Summer2023!, Fall2023!, Winter2023!).
• • •
Poor password management the main cause of data breach for more than 10 years. One million passwords are stolen every week. Using stolen login information is the second-most common breach method. Eighty-five percent of data breaches prominently involving a personnel component such as phishing, stolen credentials, and human error. These instances of compromised data are often done by external actors for financial gain. the 2022 Verizon Data Breach Investigations Report explains that, when targeting businesses and organizations, malicious actors often access networks through weak or stolen passwords – in fact, 82% of security breaches occur within basic web application attacks are achieved by stealing credentials such as passwords.
Companies must find the safest method for employees to be honest will follow. When setting password security policies, keep this in mind. The best system in the world will do you no good if employees stop working against it. So while companies need to work to show employees that being secure and using good password hygiene doesn’t have to feel overwhelming, they also need to try to strike a balance that really works for their employees.