“Use a strong password” is the digital equivalent of “wear sunscreen”: Everyone knows it’s sound advice, but far too few people take it. Instead, they rely on easy-to-remember passwords, including that “!” at the end of their secret phrase or inserting “@” in lieu of the letter “a.” (It’s no coincidence that “P@ssword!” is the most often used password.) Of course, none of this lowers the importance of a breach for most businesses. The unsettling reality is that password security is still a prevalent and underappreciated problem. One of the most difficult difficulties for businesses in improving their security is encouraging workers to practice better password hygiene.
The issue here is that human nature is complex. It’s not only that consumers don’t want to waste valuable cognitive resources memorizing different and difficult passwords for each account. They are frequently attempting to escape the sensations of irritation that accompany their inability to recollect the material readily. Passwords that are simple and familiar will always win out over more complicated and secure ones. Unfortunately, the human aspect in password security boils down to what is convenient rather than what is safe. Please forgive us, password gods.
We’ve seen how this goes down. People use weak passwords, which are prone to brute force assaults, and repeat passwords while being aware of the hazards. According to Google research conducted in 2019, more than 52% of users admit to reusing passwords, with around 13% admitting to using the same password across all accounts. Simultaneously, 68% of password users admit to reusing credentials because they are afraid of forgetting them, while 36% believe their accounts are not significant enough to warrant more strict security measures.
So, what can companies do? The good news is it’s not a question of choosing between gold-standard security or nothing at all. Instead, companies need to find the approach that works best for their people — and that employees will actually follow. Here are five recommendations that managers and IT departments can share with employees and teams to help them find — and use — the right level of protection for any situation.
Level One: The throwaway password
A throwaway password is one that is used in conjunction with a disposable email account. The concept is similar to creating a burner email account to use with a free trial. These single-use accounts are especially beneficial if you know you’ll be immediately subscribed to a never-ending bombardment of unappreciated sales emails for the remainder of the account’s existence (“unsubscribe” buttons be damned). The insignificance of the passwords for these insignificant accounts provides safety. No important information or passwords are lost if (when) these credentials are stolen or these accounts are hacked. This theft will not jeopardize any crucial accounts or passwords.
For these accounts, you could use a password as simple as a word, a few letters, and a special character. For example, Frodo123! But never use this password again with any other email account. Reusing a simple password across multiple platforms can be the kiss of death.
Level Two: A password phrase
Four- or five-character passwords, regardless of the combination of numbers, letters, or symbols, are similarly vulnerable. That’s why experts now recommend at least a 12-character password. The problem is that no one likes to remember a bunch of long, complicated passwords. Here’s where password phrases come in.
A password phrase is lengthier than a basic one-word password, but it is easier to remember. To enhance character length, most of us should use password phrases rather than words, but they should not be as basic as song lyrics (professional hackers have been on to this technique for years). Using phrases like “everybreathyoutake,” “oopsididitagain,” or “igottafeeling” almost invites hacking. Here’s a better example that may be more relevant to you Gen Xers: In1984VanH@lenRock$! Although these passwords are not the gold standard of excellent password management, they are suitable for persons who will not utilize the good password hygiene specified in the higher tiers of online security on a regular basis.
Level Three: A password phrase that utilizes a pattern.
This is a password that can be incorporated across different platforms but is just different enough to allow for that password not to be used twice. For example, if you have various social media accounts, you could use a word with color (and unique number/character pattern) across those accounts. For example Instagram — urRED!@7am&8pm, Facebook — urWHITE!@7am&8pm, LinkedIn — urBLUE!@7am&8pm.
A word of caution: I have worked in organizations that have demanded passwords be changed every 90 days. In this case, I have seen individuals use the four seasons to align with the required update times. For example: “Spring2023!,” “Summer2023!,” “Fall2023!,” “Winter2023!.” Again, a professional hacker will be able to crack this code in under a minute. Use a combination that is specific to you — and only you (and stop using “!” so much — try using “+” or another less-common symbol).
Level Four: A password phrase with two-factor authentication
For more sensitive login accounts, such as banking information, business emails, and file sharing, two-factor authentication is advised. A confirmation SMS, email, biometric, or token, whether a physical fob or an authentication system like Google Authenticator, can be used. By combining two-factor authentication with a complicated password, you significantly reduce your chances of getting hacked. While not flawless, two-factor authentication gives the user something that any security specialist will tell you is valuable: it makes you a more difficult target, which typically means your opponent will move on to simpler victims.
Level Five: Password manager software with two-factor authentication
Knowing that a complex passphrase coupled with two-factor authentication is the best way to secure your login information, the problem remains of memorizing, recording, and/or sharing this information. For this reason, it is recommended that organizations that share login information have employees use password manager software, such as 1Password or Dashlane.
While still not infallible, a password manager helps employees who might practice poor cyber hygiene prevent data from unintentionally leaking out. It also allows for an immediate lockout of an employee who was recently terminated, without having to waste time on an overall organizational password reset.
Shared accounts pose an inherent risk. The moment you share a password with another person, vulnerabilities increase and so does the likelihood of being hacked. If you’re going to share a password, it needs to be changed at least every 90 days, and as soon as anyone with access to the password leaves your organization. Most large public and private organizations mandate this frequency of updating passwords. Just make sure to avoid the easily anticipated formats mentioned above (Spring2023!, Summer2023!, Fall2023!, Winter2023!).