This year’s World Password Day is on May 4, so it has serious competition from a more established global brand. May the Fourth Be With You! In some ways, this is an appropriate analogy for how some executives view password security, that it’s less important than activities more directly aligned with business outcomes. In keeping with the May 4th theme, don’t be seduced by the dark side. World Password Day aims to raise awareness about the importance of password management and security, especially for leaders and executives with access to sensitive and valuable information. Passwords are one of the most common entry points for cyberattacks. Weak or reused passwords put your organization at risk of data breaches, ransomware, identity theft, and other cybercrimes.
Hackers don’t break in – they sign in. — Microsoft
In fact, according to Microsoft in their Digital Defense Report 2022, there are 921 password attacks every second, nearly doubling in frequency over the past 12 months. That’s why you must take password security seriously and adopt best practices to protect your accounts and business. Before we get to best practices, here are some benefits of developing robust password policies. You will:
- Prevent unauthorized access to your sensitive data and systems, such as financial records, customer information, intellectual property, and trade secrets.
- Reduce the chances of falling victim to phishing, ransomware, identity theft, fraud, and other cybercrimes.
- Improve compliance with various regulations and standards that require strong authentication and encryption of data, such as GDPR, HIPAA, PCI DSS, and NIST.
- Improve your reputation and trust among your customers, partners, investors, regulators, and other stakeholders who expect you to safeguard their data and interests.
- Foster a culture of security awareness and responsibility among your employees, who can be the weakest link in your security chain (but are also your first defense).
Now that we identified some of the benefits of password security, how do you do it?
1. Use strong, unique passwords
There are differing views about what constitutes a “strong password.” Some argue it should be at least 16 characters long, include a mix of upper- and lower-case letters, numbers, and symbols, and avoid common words or phrases. You can do better. America’s Cybersecurity and Infrastructure Security Agency (CISA) has this to say about what makes a good password:
According to NIST, you should consider using the longest password or passphrase permissible. For example, you can use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.
Taking CISA’s advice on board, your passphrase can be a combination of words that are easy for you to remember, for example, Sup3rSuddsy@CarWash!Yay.
2. Different passwords for accounts
It is a good idea to use different passwords for your various accounts. Doing this reduces the risk of one account breach impacting all your accounts. Pay close attention to accounts that contain personal information, like banking, financial services, and even social media. Ultimately, what matters more than whether you use 100-character randomly generated passwords or amusing passphrases, is that:
- Your organization has a password policy in place
- All team members are aware of it
- All team members adhere to what IT leadership considers best practice for the business.
3. Use a password manager
So how exactly is the average person supposed to remember dozens of passphrases? Naturally, there’s a solution for that. You can use a password manager to store and generate passwords. A password manager is software that securely stores your passwords in an encrypted vault and autofills them when you log into your accounts. It also helps you create complex and random passwords that are hard to guess or crack. I have used a password manager for many years and have thousands of very long, random passwords. None of them I remember, and nor do I intend to. It slows down work a little during logins, but nowhere near as much as the cost of a breach caused by lax password management.
4. Use multifactor authentication (MFA)
MFA verifies your identity by requiring more than one piece of evidence, such as a password and a code sent to your phone or email, or a biometric factor like your fingerprint or face. MFA adds extra security to your accounts and prevents unauthorized access even if your password is compromised. If there’s one takeaway from this post, please enable MFA on your accounts. (Another post will discuss passwordless systems, biometrics, MFA, tokens, and passkeys.)
5. Be selfish, don’t share
Changing your passwords on a regular cadence* can reduce the chances of them being exposed or stolen by hackers or malicious insiders. It would be best to never share your passwords with anyone, not even your colleagues or family, as this can compromise your privacy and security. * What a “regular cadence” looks like is open to debate. Some argue every few months, but that is only feasible for some people. Make your determination about the timing of that cadence.
6. Education is key
Password security is not only a technical issue but also a human one. You must know the common threats and scams that target passwords, such as phishing emails, fake websites, keyloggers, and social engineering. You must also train your team members to create and manage passwords securely and report suspicious activity or incidents. Password security is central to a robust security posture. It can protect your organization from cyberattacks and their consequences. On this World Password Day, we urge everyone to act and improve their password habits. If you need more guidance or assistance on password security, we have written about this topic many times here, here, here, and here.