How to create a company password policy, with template Allowlisting vs. blocklisting: Benefits and challenges

Top 6 password hygiene tips and best practices

Passwords enable users to access important accounts and data, making them attractive targets to attackers, too. Follow these password hygiene tips to keep your organization safe.

Just about everything about passwords is inconvenient, from creating them to remembering them to using them. And we haven't even talked about securing them yet.

Unfortunately, malicious hackers are password enthusiasts. Weak passwords make it all too easy for an attacker to get a foot in the door. Good password hygiene means creating strong passwords and managing them effectively. It is an important part of cyber hygiene and improves an organization's overall cybersecurity posture.

Consider the following tips to help raise the bar on password security and reduce cyber-risk.

1. Try passphrases

The common thought for years was that long, complex and difficult-to-remember passwords -- such as N#JlwB%"+30~Qjok;4=8)F12$R! -- were the best ones. Turns out, a few words strung together as a passphrase can be even stronger. These phrases are also easier to remember, so users are less likely to write them down. Consider creating passphrases with a mix of uppercase letters, lowercase letters and special characters.

2. Steer clear of password reuse

Whether you're using a password or passphrase, a critical part of password hygiene is using a unique one for every login account. You read that correctly: every single one. While it's tempting to reuse a favorite password, it's a huge exposure. If attackers compromise your password on a shopping site, they then have your login credentials for every site where that password was used. This is especially problematic when employees reuse passwords across personal and corporate accounts.

Graphic of password hygiene tips and best practices

3. Employ password managers

Having a unique password or passphrase for every login means a lot of passwords. Unless you have a perfect memory, chances are you need something to help you remember those complex passwords and passphrases.

But don't think of writing them down on a sticky note or saving them in a file on your desktop. Instead, a password manager can help. These secure applications store all unique passwords and generate new ones as needed. Most password managers can sync across several devices, so users are never without an important password when they need it. Another great feature is website verification. If you click a phishing link and connect to URB4nk instead of your real bank, the password manager won't autofill your password.

4. Review cycle frequency

For years, it was recommended users change their passwords every 90 days. And, for some use cases, that's still a good rule of thumb. If you're using single sign-on coupled with multifactor authentication (MFA) at your company, 90 days may be the sweet spot.

Companies with passwordless authentication may determine annual password and passphrase changes are enough. In high-sensitivity use cases, 30 or even 15 days could be the right time frame.

The most important part is to apply governance practices and work with the business to determine the best password change cycle for the organization, as part of a broader enterprise password policy.

Where does passwordless fit in?

Despite the hype around passwordless authentication and its promise to improve UX and boost security, passwords remain an integral component of identity and access management -- and they aren't going away anytime soon.

That's because the word passwordless doesn't mean what you may think. The -less is similar to the usage in serverless PaaS -- which does, in fact, have servers -- and unlike the phrase meatless lasagna, which you'd assume is vegetarian.

By using alternative authentication factors, such as biometric authentication -- for example, facial ID and fingerprints -- and other attributes, including device fingerprint and geolocation, companies that adopt a passwordless approach can reduce the number of passwords a user enters on a given day to zero. Mobile device users also benefit from the passwordless approach: press a finger on the reader to unlock the device.

In all these instances, however, there is still a password, phrase or code available as a fallback in case the biometric or attribute-based authentication measure fails. Any attacker with those credentials can still access your device or banking app, no fingerprint required. So, even with so-called passwordless authentication, password hygiene is still important.

5. Use MFA everywhere possible

Another crucial password hygiene tip is enabling and enforcing two-factor authentication or MFA. If an organization requires MFA and an attacker gets an employee's credentials, the attacker won't have immediate access to the account. Modern MFA is as simple as receiving a one-time passcode on your mobile device or auto filling an OTP from your password manager. Most organizations, such as banks, health systems and service providers, including Microsoft and Google, offer MFA free of charge.

6. Cultivate security awareness

General security awareness training can go a long way toward promoting password hygiene. For example, teach every employee to consider the following before logging in to an enterprise account:

  • The security of the network connection.
  • Whether a contact or application has asked for login credentials via email or after the user clicked on a link embedded in an email -- both red flags, even if the messages don't seem like obvious phishing attacks.
  • Whether the website's URL starts with HTTPS, as expected, indicating a secure connection.

Next Steps

Best practices to conduct a user access review

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing