黑料海角91入口

Best Practices for IT Password Security

Written by Sean Blanton on October 10, 2023

Blog Home > Best Practices > Best Practices for IT Password Security

Share This Article

October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) organization is calling on all of us to 鈥淪ecure Our World,鈥 with a simple message that calls everyone to action 鈥渢o adopt ongoing cybersecurity habits and improved online safety behaviors.鈥 This month, the 黑料海角91入口 blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.

It鈥檚 safe to say: IT has a password problem.

Gartner that as much as 50% of help desk calls are just password resets. Meanwhile, insecure passwords are leading to more than ever before. Password protection and management is something that we鈥檙e highly in tune with here at 黑料海角91入口, where security via our cloud directory platform is our bread and butter. And thankfully, there are some amazing tools out there today that can make password management much easier and more secure.

Password management has a few components. The first step is contextualizing the breadth and depth of the problem. Then, it鈥檚 all about implementing password protection best practices to secure your organizational resources without interfering with your employees鈥 user experience. In this article, we鈥檒l walk through common password mistakes, the best practices to combat them, and how to simplify your management complexity. 

Common Password Mistakes 

Simply put, cybercriminals have evolved to be smarter about how they acquire user credentials, but our business environments have not evolved to properly defend against them. According to Specops鈥檚 , 41% of Americans rely on memory alone to

track their passwords. And, you can鈥檛 leave it up to users to secure their own credentials. Most employees reuse passwords for work and home, and make their passwords deliberately easy to remember 鈥 which also means they鈥檙e easy to guess. 

Using Common Passwords 

Common password credentials are often the first ones bad actors attempt during brute force attacks. They鈥檒l find these password lists on breached password dumps, and systematically enter them until one works. 

, the 10 most common passwords leaked in 2023 were:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

These passwords are not only easy to guess; most of them are also very short, and have very little complexity, with no special characters. Many of them don鈥檛 even have a mix of both letters and numbers, and none of them are personalized to the user. 

Using Overly Simple Passwords 

You can鈥檛 just opt for a password that isn鈥檛 lazy and obvious. You must also add layers of complexity with a combination of long-chain letters, numbers, and special characters. It may feel like common knowledge that using over eight characters in a password was enough to deter most cybercriminals, but this isn鈥檛 always put into practice. In fact, of brute force password attacks in 2023 used passwords with 12 characters or less, and nearly a quarter of those attacks used passwords with only 8 characters.  

Reusing Passwords on Multiple Applications 

Without a password manager to securely store login credentials, many users resort to reusing passwords, simply so they can remember them.  According to Google鈥檚 , 52% of users reuse the same passwords for multiple accounts, and 13% use the same password for all their accounts. 

Using the same password repeatedly significantly widens the attack surface. A compromise of just one resource 鈥 even something as innocuous as a social media or retail account login 鈥 can lead to compromise of company resources, too. 

Password Management Best Practices 

Password management issues may be widespread, but that doesn鈥檛 mean your organization is destined to become the next victim of a cyber attack. Next, we鈥檒l give you a few best practices to implement in order to better secure your users鈥 passwords. 

Create a Password Policy 鈥 and Enforce It.

Design a detailed password policy all employees and user identities must follow to gain access to company resources. A modern cloud directory platform like 黑料海角91入口 makes this easy by creating password requirement policies based on your specifications. Here鈥檚 some examples of what should be included in your policy. 

Length/Complexity Requirements 

  • Specify a required length: In the world of passwords, size does count. Eight characters is no longer enough, and based on Specops鈥 resource, 12 characters are quickly becoming too simplified as well. We recommend 18+ characters in a password. 
  • Require a range of characters: Make each password require a mix of lowercase, uppercase, numbers, and special characters. 
  • Don鈥檛 allow words: It鈥檚 a lot easier to guess a password if it includes your name, your kid鈥檚 name, your pet鈥檚 name, or a common phrase. Eliminate this risk by allowing no recognizable words in your passwords. Instead, encourage employees to create acronym strings to make passwords that are hard to crack, but easy to remember. For example, if you want to use the song lyrics, 鈥淔or those about to rock, we salute you,鈥 make it part of your password by using 鈥渇tatrwsy鈥. If you can add in a phrase with numbers, that could be 鈥渢oo good to be true鈥 (2g2bt).
  • Don鈥檛 allow reuse: Ensure your password setting system can identify if a password has been used previously on the site, and do not allow employees to reuse these old credentials. 

Require Passwords Across Devices and Applications

Regardless of whether it鈥檚 a company laptop, an employee鈥檚 email on a personal device, an iPad, or even a BYOD cell phone, if a device is configured to connect to company resources, it must be protected with a complex password. 

Some organizations still have their heads in the sand about the breadth of password requirements. They allow BYOD without creating a policy around it or gaining control of the devices. Don鈥檛 neglect the need for passwords on networks, routers, mobile devices, and for all apps in use. You don鈥檛 want the next lost cell phone to lead to the next big breach.

Note: check out our guide to creating an effective BYOD policy in your organization.

Do Not Use the Same Password for Multiple Accounts

What happens when a CEO uses the same password for accessing a confidential business network that they use for their social media pages? Just ask the 6.5 million users who were . It鈥檚 鈥渘ever going to happen to you鈥濃 until it does. Be smart and don鈥檛 ever mix business and personal credentials. Automatic password rotation can enforce this company-wide.

Implement Regular Password Rotation

Use a password manager to require the regular changing of passwords. Required password rotation is essential to staying one step ahead of potential hackers.

Some systems require rotation but then allow a user to just switch back and forth between two passwords. Ultimately, this subverts the goal of password rotation. 黑料海角91入口鈥檚 platform catches this issue and allows admins to eliminate previous passwords as an option. This allows IT to set a number of previous passwords back that a user cannot use when rotating.

Require Multi-factor Authentication

Starting to get the sense that a passphrase alone isn鈥檛 enough to secure your network and resources? You鈥檙e right. In today鈥檚 day and age, even the most complex passwords aren鈥檛 foolproof. 

For the utmost in security, pair your detailed password policies with multi-factor authentication (MFA). MFA combines something a user knows (typically, the traditional username and password) with something they have (like a biometric verification, or a push notification or key sent to a private phone). When paired with a strong password, MFA makes it much, much more difficult for the wrong person to access your business resources.  

Educate Your Staff on Social Engineering and 鈥淧hishing鈥 Attacks

Your staff is much more likely to comply with your company policies if they understand why they鈥檙e necessary. Once you鈥檝e shared the policy, you must reinforce the rules by providing context around why it鈥檚 so important. 

Give your tema training on the most common forms of cyber attack, like social engineering and phishing. These hacking methods are cleverly disguised and require the victim to be a willing participant in undoing their security. 

The basic rule is this: whenever you follow a link that asks for login credentials (or any other personal information for that matter) you must be highly vigilant. If you鈥檙e not certain if the request for information is legitimate, then you can type the site鈥檚 known URL into your browser to make sure you鈥檙e not on a carefully disguised imposter鈥檚 site. 

Reducing Password Policy Complexity 

Are you feeling overwhelmed at this point, wondering how you鈥檙e supposed to manage so many password requirements and changes for so many users? Fear not. Our modern cloud security solutions offer lots of opportunities to automate these processes, freeing your IT admins up for more complex tasks. 

Use a Password Manager

Weak, shared, or compromised passwords play a role in most data breaches. When end users can create and store complex passwords easily, they play an active role in protecting your organization from malicious actors. Password managers allow users to create truly complex, uncrackable passwords while reducing downtime from not remembering them. It鈥檚 the perfect solution. 

Implement SSO and MFA 

Modern cloud solutions allow you to easily implement single sign-on and multi-factor authentication models to verify users prior to letting them access company resources. 

Single sign-on enables users to log in once to access all of their IT resources; they don鈥檛 have to type their username and password in over and over, or use multiple, distinct username and password pairs, to get access to everything they need to be successful at work. Today, SSO is often implemented as part of a larger identity access management (IAM) solution, such as a directory service, rather than as a separate add-on, which gives IT admins more control and visibility into what users have access to. SSO solutions that fit into this mold provide users with access to virtually all of their IT resources (networks, devices, apps, file servers, and more) through a single login.

Multi-factor authentication can also be turned on with the click of a button when using solutions like 黑料海角91入口. You can create conditional access policies that make users use a second factor to verify their identities all of the time, or only when logging in from an untrusted device, for example. , enabling MFA will stop 99.9% of cyber attacks. 

Upgrade to a Cloud Directory Platform like 黑料海角91入口 

While password managers, SSO, and MFA can certainly all be purchased piecemeal, by far the easiest and most comprehensive solution is to centralize your IT management around a cloud directory platform like 黑料海角91入口. 黑料海角91入口 provides a seamless single pane of glass from which to manage all user passwords and identities, and quickly batch implement the newest security policies. 黑料海角91入口 offers password management, all-application SSO, MFA capabilities 鈥 and so much more. 

If you鈥檙e ready to give a best-in-class open directory platform a try for all your IDaaS needs, 黑料海角91入口鈥檚 your solution. Start your free trial today.

Sean Blanton

Sean Blanton is the Director of Content at 黑料海角91入口 and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with Related Posts

Visit the Search Page

Continue Learning with our Newsletter