10 Password Security Best Practices
Password security is one of the easiest, cheapest, and most effective ways to strengthen cybersecurity, reduce cyber risk, and decrease costs.
Really?
Yes! Let’s talk about why.
Why password security is important
All cybersecurity measures are important, but password security is arguably the most crucial thing never to get wrong. Why? Because it’s so easy always to get right, and when done well, it’s an incredibly effective cyber defense.
A password is like the key to your home. Would you ever give it to a burglar? Of course not. But would you accidentally give it to them? If you leave a spare key under your outside doormat — and check to ensure it’s still there every time you enter or exit your home, increasing the chance that someone with nefarious intentions can identify and access this spare key — maybe you would!
The digital equivalent to this scenario is the easily guessable password. You know, a password like “password.” Long ago, in the early days of the internet, “password” was a reasonably acceptable — err… just kidding!
A password is the first defense against someone taking the valuables you store online. If you lose those valuables, it will cost you a lot more to get them back if you ever do. Can you imagine if someone took your money, data, and private information, just because you used a weak password? Don’t let it happen!
Here are 10 best practices for creating a secure password. We’ll start with the basics and get more advanced as we go down the list.
1. Avoid common and personal words
So, if “password” isn’t a good password, what about “password1”? LOL. Negative, Ghost Rider. What about your first name, last name, or middle name? Your parent’s name or cat’s name? No, no, no, no. Those are precisely the types of passwords that bad actors will try to guess (or, more likely, use an automated password-cracking tool to determine). They might seem personal and hidden, but they are easy to find online.
POP Quiz! (True or False)
Should you use your last name combined with your birthdate for your password?
False! Avoid everything personal to you.
You might think your birthdate is hidden, but due to a large number of data breaches, it might not be.
2. Use phrases and sentences
A good password is hard to guess but easy to remember. Try creating ones with sentences and phrases that mean something to you, otherwise known as a “passphrase.” Let’s do this together. Pretend you need login credentials for the website “DC.com.” What’s your favorite line from your favorite film? If it’s, “No, Luke. I am your father!” then a solid passphrase would be “nolukeIamyourfather.” It’s a good start, but it’s still a bit too common. Let’s add to it a tad.
3. Make it complex
Mix in numbers, special characters, and uppercase and lowercase letters in your passphrase — at minimum, use three of these elements. In our example, we’ll add an uppercase character to every new word, except for the letter “I,” which we will substitute for the number “1.” And, for good measure, we’ll randomly choose a word to put fully in uppercase. Then at the passphrase, we’ll add the special character “@” and the website where the password will be used. The result:
NoLuke1AmYOURFather@DC.com
4. Make it long
A good password is long. But how long? At a minimum, make your password 16 characters. As passwords increase in length (and complexity), they become harder and harder for computer codes to crack. BTW, did you count the characters in our masterpiece of a password? 26 characters. BAM! We are good to go.
5. Protect your passwords
This may sound obvious, but you should never tell anyone your passwords, even if it seems urgent, convenient, or necessary, like if you want a colleague to log into your work computer to find something. Why so strict? Because when you’re online, you don’t know who is asking for it. Let’s say you get an email from your “IT department” asking for your password. That may sound reasonable. IT runs the computers. Of course, they might need your password. But did you know it’s standard practice for IT departments never to ask for your password? So that message probably isn’t from IT. It’s probably a phishing email from a bad actor trying to trick you into disclosing your info. As a matter of habit, never tell anyone your password. Well, if your best friend comes over and asks for your WiFi password — that’s kewl, but speaking of WiFi…
6. Beware of public computers and WiFi
Public computers and public WiFi are notoriously insecure environments. It’s fantastic when governments, institutions (like libraries), and businesses (your neighborhood coffee shop) let people get online for free. Because they’re available to everyone, minimum or no authentication is required to log on, making them attractive to bad actors to attempt to capture your internet traffic. So if you’re on one, avoid entering your password for sensitive accounts, such as banking and email. Now, you should be secure using a trusted device (one that is always in your control) and open WiFi while using a Virtual Private Network (VPN). Check our Cyber 101 section to learn the definition of a VPN. Bear in mind if you are ever in doubt about the security of your environment, wait until you’re in a secure, trusted space.
POP Quiz! (Multiple choice)
What if you’re on public WiFi at the airport, and the site you want to access requires you to turn off your VPN, OR you think your VPN is slowing down your connection? Do you:
A. Turn off your VPN.
B. Turn off your VPN, just for a minute or two.
C. Wait until you’re in a secure environment.
D. Borrow someone else’s device to access the site.
The correct answer is C! D could be acceptable if that person allows you to do it and can’t trace any wrongings back to you. LOL… ahhh… don’t do that.
7. Log out of shared computers
This one is a no-brainer, but sometimes only in retrospect. Have you ever gotten home from a school, library, or friend’s house, only to feel that you forgot to log out of the computer? If so, any saved passwords (in the Cloud or your browser session) or cached browser data will be available to anyone with access to that shared device! Time to panic? Maybe not.
Here’s how you can log out remotely assuming you logged into your Google account on the shared device.
But in the future, don’t forget to log out!
8. Don’t reuse passwords
Every one of your accounts should have a unique password. This helps guard against credential stuffing, which is when a bad actor has one of your online account’s credentials (username + password) and reuses said credentials in an automated attack on an array of other accounts. Since the bad actor doesn’t know all your accounts, they will span multiple websites. Imagine you had the epic masterpiece of a password we created above (along with your user name) compromised by a bad actor, AND you used that password everywhere, including for your bank. Now, that bad actor might be able to access your bank account. At this point, let’s just hope you have MFA turned on! MFA?! What’s that? Glad you asked!
9. Use multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a way to authenticate a user's identity. A website or any portal that gives you access to sensitive information could force users to perform two or more verification actions to confirm their identity before granting account access. That's a mouthful, so let's quickly break it down. When you access an account, let's say your bank account, you must supply the correct username and password (this would be the first verification action). But bad actors can get that info relatively easily. Your bank might also send you a text message with a unique number code (with a finite expiration timeframe) and require you to type it in because the assumption is that you're the only person with access to your phone (this would be the second verification action). That's MFA. NOTE: The second verification action could happen via a phone call or notification from an authentication app.
Bottom line, when a company offers MFA, you are strongly encouraged — and sometimes forced by the company — to use it. It can be the deciding factor between staying safe and suffering a breach. As the Cybersecurity and Infrastructure Security Agency (CISA) notes: "Users who enable MFA are 99% less likely to get hacked, according to Microsoft."
10. Use a password manager
There’s an old saying about passwords: The best password is the one you don’t know. Actually, it’s a new saying because the concept of a password manager is pretty recent! Nowadays, most people have dozens of accounts. Ideally, each one has a unique password — see point #8 above! That’s far too many passwords for one person to create and remember. Enter the password manager. They create strong passwords for you, organize them, and save them across your devices. Want to try one out? Here are some free options:
Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.
Conclusion
Password security is a serious business. Even today, at prominent organizations, people still use “password1234” — and risk data, security, and money. Following our best practices will make a difference in your online safety. It is a fundamental and easy way to help ensure you and your employees remain safe while having a high return on investment (your CFO, investors, family, and future self will thank you).
Share this article. We triple-dog-dare you!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD
