Why Is Password Hygiene Important?
The risks of weak passwords
If a password is a first line of defense in security, a weak password hygiene strategy is a costly surrender.
In the same way a gate with an easy-to-break lock allows easy entry to people with malicious intent, a system with an easy-to-crack password allows attackers to have a field day at your organization's expense, and no one is immune.
How important is using unique passwords? Consider these statistics:
According to a 2024 GoodFirms report on top password strengths and vulnerabilities: 30% of users have experienced a security breach due to weak passwords. 52.9% of Americans share their passwords with co-workers, friends, or family members, and 45.7% of users re-use their passwords in multiple locations.
Risks might include potential data breaches, extortion using threats to expose personal relationships, photos, or text messages, and the potential of tremendous financial loss, among other frightening things that people seem to easily forget when happily creating accounts with the same password everywhere. In questions of cybersecurity, it is never relevant to wonder what to do if an attack occurs. Instead, it’s a matter of wondering when, and the stakes are high if you learn you weren't prepared.
The 2023 Verizon Data Breach Investigations Report found that the human element is still the #1 threat vector– demonstrating the need for more and better cybersecurity training. Good cybersecurity habits begin with strong passwords and enforce strong password hygiene.
This is cybersecurity 101.
How attackers target passwords
There are two main types of password-related attacks: brute force attacks, and credential stuffing. Both are a major concern.
In a brute force attack, a malicious threat actor uses combinations of letters, numbers, and characters in an attempt to unlock credentials. These can sometimes mean using common passwords found frequently in user behavior or combining these with relevant letters, numbers, or symbols tied to a user's life or work. These can also be methodical: trying a number of different combinations, one after the other, in sequential order. This method works well but can take a very long time, and its effectiveness decreases with the complexity of a password. Since passwords are a fundamental aspect of data security, hackers have become very creative over the years, and there are many tools and methods developed for just this purpose.
Another common way hackers target passwords is through credential stuffing.
This is a similar, but different type of attack in which leaked data, in this case credentials made available in one attack, are used to attempt logins in an unrelated service in a separate attack. Hackers find that people often use the same passwords in multiple places, so if a company breach delivers a note in a personal file on an employee’s desktop with a list of passwords or login credentials, they may try to use those same passwords in places the employee likely tries to access, such as a bank or financial institution. If a threat actor can crack one password, perhaps the same password is used elsewhere. This is the essence of credential stuffing– using leaked passwords for other services where they may also work. Insurance companies and real estate offices access mortgage companies. Store owners and employees access banks. Government services access other government services. All of these are at risk with poor password hygiene.
Additionally, hackers use social engineering strategies and phishing attempts to target passwords. While it's harder to ensure that every member of an organization remains highly trained to avoid social engineering and phishing attempts, the use of a great password manager and the practice of good password hygiene can significantly reduce the risk.
The consequences of poor password hygiene
The consequences of poor password hygiene are infinite. A misused password can incur financial loss, give unauthorized people access to private data and information, and even affect personal reputation. Hackers with access to private data will use this data by whatever means necessary to accomplish their own goals… nefarious ones.
Creating Strong and Unique Passwords
The importance of complex passwords
An important first step is the use of complex passwords. As most people know by now, a complex password involves using both upper and lowercase letters, special characters, and numbers. When creating a password, it is equally important not to use words or phrases that associate back to the user, and to avoid the use of important or relevant dates. The safest passwords are meaningless strings of letters, numbers and special characters, with both uppercase and lowercase letters represented.
Using passphrases for added security
A passphrase has the same function as a password, adding an additional layer of security. Passphrases make passwords easier to remember for users, yet harder to crack for malicious actors. Think of a phrase that might make no or little sense in context, but that, when strung together, forms a nonsensical or out-of-the-box thought that might be easier to remember using mnemonics or other brain hacks.
By way of an example, consider the passphrase “LiveSleepSendLove.” It would certainly offer more protection than the password “LiveLove.”
Then consider replacing some of the letters with numbers or special characters, as in “L1v3Sl33pS3ndL@v3.” This passphrase creates added security while remaining easy enough to remember – just replace the “i” with 1, the “e” with 3, and the O with @.
Passphrases can be as simple or complex as people decide to make them.
When creating your own, try to find phrases you’ll easily associate meaning with but that aren't personal, making them simple to remember. Use the same replacement strategies- different from those others might use- for each passphrase you create. If you know people often use 3 to represent e, try using # or > instead.
Avoiding common password mistakes
The most common password mistakes are easy to make. People tend to string numbers together in sequential order (123456), use obvious words like "password," or use dates of personal importance (like birthdays or anniversaries.)
They may also use words or names that carry personal significance and are easy to guess in a world where personal information is so easily accessible through a quick Google or social media search. Don't use "butterfly12" for your Wi-Fi password if you live at 12 Butterfly Lane.
Avoiding Password Reuse
The dangers of password reuse
Reusing passwords across multiple sites is like handing hackers the option to use a credential-stuffing attack. Many people form social habits around technology use– for example, team members in the same company may all use the same fitness app. Still, others frequently use the same software across national or even international lines.
Reusing passwords or passphrases makes it easy for a threat actor to make the jump from one form of access to another, enabling unauthorized access to more than one service after a breach. How important is using unique passwords? Very.
Using a unique password is the core foundation of any good security posture.
How password managers can help
A password manager can help ease many of the frustrations of having to remember complex passwords and passphrases. A password manager can also reduce the frustration of needing to allow or limit access to certain files and stay on top of which, thus helping to enforce strong password hygiene.
Implementing two-factor authentication
Implementing 2FA (two-factor authentication) is the second-most important step in establishing a solid security posture, allowing organizations and individuals to manage the login process safely. Two-factor authentication uses two forms of identification to access a service and identify a user. A well-known security method in identity and access management, two-factor authentication is growing as a powerful ally against unauthorized entry.
Securing Your Passwords With a Password Manager
Benefits of using a password manager
A password manager is a simple and effective tool to assist with identity and access management. A password manager stores your information inside an encrypted vault, resolving a number of issues users might encounter.
Today, most apps and services require a password and automatically teach us to use complex ones. This is where the problem arises. We’ve all got a friend– maybe it’s you– who uses the old Click here if you forgot your password link repeatedly, forever forgetting the safe entry code into their important account.
Password managers eliminate this problem, allowing users the freedom to focus on getting work done.
Choosing the right password manager
It’s important to choose the right password manager.
There are different types, and each has pros and cons. Some store passwords locally on a device, and others remain cloud-based, allowing access to passwords even if the device is lost.
Some password managers store each unique password and user ID, others use SSO (a method called single sign-on) to store all passwords and give access to apps and services.
While there are many free managers available, they typically do not boast important security features like MFA (multi-factor authentication) and are less frequently updated.
Tips for managing and organizing passwords
Managing and organizing passwords is everyone’s job, but password managers facilitate the task.
Start by maintaining excellent password hygiene. Use complex passwords and make use of passphrases, changing them often and remembering not to re-use them. Don't share them with friends, family, and co-workers.
When selecting a password manager, ensure it has all of the features of a great identity and access management tool. Look for 2FA and MFA, a random password generator allowing the creation of unique passwords, an encrypted vault that allows only the user to access important files, documents and passwords. Other useful tools, like an auto form-filling tool or mobile app pin unlock and fingerprint login, can be helpful.
