Top 7 password hygiene tips and best practices
Passwords enable users to access important accounts and data, making them attractive targets to attackers, too. Follow these password hygiene tips to keep your organization safe.
Just about everything about passwords is inconvenient, from creating them to remembering them to using them. And we haven't even talked about securing them yet.
Unfortunately, malicious hackers are password enthusiasts. Weak passwords make it all too easy for an attacker to get a foot in the door.
Good password hygiene -- creating strong passwords and managing them effectively -- is an important part of cyber hygiene and improving an organization's overall cybersecurity posture.
Consider the following best practices to help raise the bar on password security and reduce cyber-risk.
1. Forget complexity, use long passphrases instead
The common thought for years was that long, complex and difficult-to-remember passwords -- such as N#JlwB%"+30~Qjok;4=8)F -- were the best ones. Turns out, a few words strung together as a passphrase can be even stronger. Passphrases are also easier to remember, so users are less likely to write them down. Consider creating passphrases with a mix of uppercase letters, lowercase letters and special characters.
Get advice on how to create a strong passphrase.
Organizations should set parameters for acceptable passwords and use an enterprise password blocklist to prevent employees from using passwords, passphrases and password combinations, such as Password1 and 123456, that are weak and easily guessed.
Testing password and passphrase strength
Security.org's "How strong is my password?" says a computer can crack the password N#JlwB%"+30~Qjok;4=8)F in about 32 septillion years -- that's 32,000,000,000,000,000,000,000,000 years. On the other hand, a computer can crack the passphrase CatClimbsTreeEats1000Mice? in 33 nonillion years -- that's 33,000,000,000,000,000,000,000,000,000,000 years.
Which do you think is easier to remember?
2. Don't reuse passwords
Whether employees are using a password or passphrase, a critical part of password hygiene is using a unique one for every login account. You read that correctly: every single one.
While it's tempting to reuse a favorite password, doing so creates huge exposure. According to the "2025 SpyCloud Identity Exposure Report," 70% of the accounts breached in 2024 used compromised credentials across multiple accounts.
If attackers compromise a user's password on a shopping site, they then have their login credentials for every site where that password was used. This is especially problematic when employees reuse passwords across personal and corporate accounts.
3. Use a password manager
Having a unique password or passphrase for every login means a lot of passwords. According to the most recent NordVPN research, the average employee has 87 business-related passwords, on top of 168 passwords for personal accounts.
Unless employees have perfect memories, chances are they need something to help them remember those complex passwords and passphrases.
Advise employees to never write passwords down on a sticky note or save them in a file on their desktop. Instead, provide an enterprise-grade password manager. These secure applications store all unique passwords and generate new ones as needed. Most password managers can sync across several devices, so users are never without an important password when they need it. Another great feature is website verification. If a user clicks a phishing link and connects to B0x.com instead of the corporate instance of Box, the password manager won't autofill their password.
4. Don't share passwords
It should go without saying but bears constant repeating: Never share passwords with coworkers, family or friends.
A 2025 Password Manager survey found that 27% of users have shared their current work passwords with people outside of their company, and a 2024 CyberArk survey found that 30% of employees have shared their passwords with current colleagues.
Sharing passwords exposes users and organizations to identity theft, data breaches, compliance issues, account compromise and data loss.
5. Review cycle frequency
For years, it was recommended that users change their passwords every 90 days. For some use cases, that's still a good rule of thumb. For example, if a company uses single sign-on coupled with MFA, 90 days may be the sweet spot. Companies with passwordless authentication might determine annual password and passphrase changes are enough. In high-sensitivity use cases, 30 or even 15 days could be the right time frame.
The most important part is to apply governance practices and work with the business to determine the best password change cycle for the organization, as part of a broader enterprise password policy.
All this said, if an organization believes users' passwords have been compromised, it should require all employees to change their passwords immediately, regardless of cycle frequency.
Where does passwordless fit in?
Despite the hype around passwordless authentication and its promise to improve UX and boost security, passwords remain an integral component of identity and access management -- and they aren't going away anytime soon.
That's because the word passwordless doesn't mean what you might think. The -less is similar to the usage in serverless PaaS -- which does, in fact, have servers -- and unlike the phrase meatless lasagna, which you'd assume is vegetarian.
By using alternative authentication factors, such as biometric authentication -- for example, facial ID and fingerprints -- and other attributes, including device fingerprint and geolocation, companies that adopt a passwordless approach can reduce the number of passwords a user enters on a given day to zero. Mobile device users also benefit from the passwordless approach: press a finger on the reader to unlock the device.
In all these instances, however, there is still a password, phrase or code available as a fallback in case the biometric or attribute-based authentication measure fails. Any attacker with those credentials can still access your device or banking app, no fingerprint required. So, even with so-called passwordless authentication, password hygiene is still important.
6. Adopt MFA
Enabling and enforcing MFA is essential. If an organization requires MFA and an attacker gets an employee's credentials, the attacker won't have immediate access to the account.
MFA is as simple as employees receiving a one-time password on their mobile device or auto-filling an OTP from their password manager. Most organizations, such as banks, health systems and service providers, including Microsoft and Google, offer MFA free of charge for both personal and professional accounts.
7. Cultivate security awareness
Enterprise security awareness training can go a long way toward promoting password hygiene. Include the following password-related best practices in enterprise trainings:
- Never connect to unsecured networks. Unsecured networks, such as public Wi-Fi, might seem useful, but they are also potentially home to attackers looking to steal users' credentials using man-in-the-middle attacks, packet sniffing and session hijacking.
- Only visit secure websites. Always check the legitimacy of a URL before visiting it. Attackers create fake websites that mimic real ones. Check for misspellings, suspicious extra words and unusual characters. Remember, attackers can even spoof HTTPS, which many people use to indicate a secure site. Use an online URL checker to validate URL authenticity and enable MFA wherever possible for an extra layer of security.
- Learn how to spot phishing attacks. Attackers use phishing and social engineering scams that contain false password requests to trick users into inadvertently sharing their passwords. Learn how to spot these attempts. Also, inform employees that while the organization has email security controls in place, they do not prevent every phishing email from making it to their inboxes. Likewise, be aware of vishing, smishing and deepfake attacks looking to compromise credentials.
- Follow enterprise password recovery procedures. If users forget their passwords, tell them to follow enterprise password recovery policies. This could include using OTPs or security questions. Organizations should never use security questions based on easy-to-guess or publicly available information, such as the user's maiden name or child's name. Always make password recovery policies accessible to all employees and ensure they understand them.
- Understand enterprise account lockout policies. Organizations use account lockout policies to prevent authentication-based attacks. Such policies prevent users from making login attempts for certain periods of time after a set number of failed tries. Always make account lockout policies accessible to all employees and ensure they understand them.
- Know when to call IT. Last but certainly not least, inform employees to notify their manager and the IT department if they suspect their credentials have been compromised.
Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.
Diana Kelley is a partner at SecurityCurve, a consulting, research and education company.
