https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices
Just about everything about passwords is inconvenient, from creating them to remembering them to using them. And we haven't even talked about securing them yet.
Unfortunately, malicious hackers are password enthusiasts. Weak passwords make it all too easy for an attacker to get a foot in the door.
Good password hygiene -- creating strong passwords and managing them effectively -- is an important part of cyber hygiene and improving an organization's overall cybersecurity posture.
Consider the following best practices to help raise the bar on password security and reduce cyber-risk.
The common thought for years was that long, complex and difficult-to-remember passwords -- such as N#JlwB%"+30~Qjok;4=8)F -- were the best ones. Turns out, a few words strung together as a passphrase can be even stronger. Passphrases are also easier to remember, so users are less likely to write them down. Consider creating passphrases with a mix of uppercase letters, lowercase letters and special characters.
Get advice on how to create a strong passphrase.
Organizations should set parameters for acceptable passwords and use an enterprise password blocklist to prevent employees from using passwords, passphrases and password combinations, such as Password1 and 123456, that are weak and easily guessed.
Security.org's "How strong is my password?" says a computer can crack the password N#JlwB%"+30~Qjok;4=8)F in about 32 septillion years -- that's 32,000,000,000,000,000,000,000,000 years. On the other hand, a computer can crack the passphrase CatClimbsTreeEats1000Mice? in 33 nonillion years -- that's 33,000,000,000,000,000,000,000,000,000,000 years.
Which do you think is easier to remember?
Whether employees are using a password or passphrase, a critical part of password hygiene is using a unique one for every login account. You read that correctly: every single one.
While it's tempting to reuse a favorite password, doing so creates huge exposure. According to the "2025 SpyCloud Identity Exposure Report," 70% of the accounts breached in 2024 used compromised credentials across multiple accounts.
If attackers compromise a user's password on a shopping site, they then have their login credentials for every site where that password was used. This is especially problematic when employees reuse passwords across personal and corporate accounts.
Having a unique password or passphrase for every login means a lot of passwords. According to the most recent NordVPN research, the average employee has 87 business-related passwords, on top of 168 passwords for personal accounts.
Unless employees have perfect memories, chances are they need something to help them remember those complex passwords and passphrases.
Advise employees to never write passwords down on a sticky note or save them in a file on their desktop. Instead, provide an enterprise-grade password manager. These secure applications store all unique passwords and generate new ones as needed. Most password managers can sync across several devices, so users are never without an important password when they need it. Another great feature is website verification. If a user clicks a phishing link and connects to B0x.com instead of the corporate instance of Box, the password manager won't autofill their password.
It should go without saying but bears constant repeating: Never share passwords with coworkers, family or friends.
A 2025 Password Manager survey found that 27% of users have shared their current work passwords with people outside of their company, and a 2024 CyberArk survey found that 30% of employees have shared their passwords with current colleagues.
Sharing passwords exposes users and organizations to identity theft, data breaches, compliance issues, account compromise and data loss.
For years, it was recommended that users change their passwords every 90 days. For some use cases, that's still a good rule of thumb. For example, if a company uses single sign-on coupled with MFA, 90 days may be the sweet spot. Companies with passwordless authentication might determine annual password and passphrase changes are enough. In high-sensitivity use cases, 30 or even 15 days could be the right time frame.
The most important part is to apply governance practices and work with the business to determine the best password change cycle for the organization, as part of a broader enterprise password policy.
All this said, if an organization believes users' passwords have been compromised, it should require all employees to change their passwords immediately, regardless of cycle frequency.
Despite the hype around passwordless authentication and its promise to improve UX and boost security, passwords remain an integral component of identity and access management -- and they aren't going away anytime soon.
That's because the word passwordless doesn't mean what you might think. The -less is similar to the usage in serverless PaaS -- which does, in fact, have servers -- and unlike the phrase meatless lasagna, which you'd assume is vegetarian.
By using alternative authentication factors, such as biometric authentication -- for example, facial ID and fingerprints -- and other attributes, including device fingerprint and geolocation, companies that adopt a passwordless approach can reduce the number of passwords a user enters on a given day to zero. Mobile device users also benefit from the passwordless approach: press a finger on the reader to unlock the device.
In all these instances, however, there is still a password, phrase or code available as a fallback in case the biometric or attribute-based authentication measure fails. Any attacker with those credentials can still access your device or banking app, no fingerprint required. So, even with so-called passwordless authentication, password hygiene is still important.
Enabling and enforcing MFA is essential. If an organization requires MFA and an attacker gets an employee's credentials, the attacker won't have immediate access to the account.
MFA is as simple as employees receiving a one-time password on their mobile device or auto-filling an OTP from their password manager. Most organizations, such as banks, health systems and service providers, including Microsoft and Google, offer MFA free of charge for both personal and professional accounts.
Enterprise security awareness training can go a long way toward promoting password hygiene. Include the following password-related best practices in enterprise trainings:
Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.
Diana Kelley is a partner at SecurityCurve, a consulting, research and education company.
22 Oct 2025