Password Safety: Password Do's and Don'ts

Passwords are part of life — because we're so used to creating them, we may forget how critical they are for security. They are the foundation of our online security. The password protects our bank accounts, emails and sensitive information. Your business needs protection from the ground up and password safety plays a key role.

A password breach could cause your company to suffer massive financial and data losses. Despite the frequency with which we create and use passwords, we can all benefit from learning the rules for creating a password. This password safety guide will help your business and employees protect your sensitive information.

In This Article

Why Is Password Security Important?
Common Password Security Threats
How to Create a Safe Password
Password Safety Do's
Password Safety Don'ts
Password Safety FAQs
The Ultimate Tool in Password Safety: Zero-Knowledge Passwords
Protect Your Passwords With Bravura Security

Why Is Password Security Important?

A password is the one thing that stands between your business and its sensitive information. Hackers and other malicious actors have various tools to crack passwords to access your finances, steal your identity or avail yourself of your customer base data. For example, hackers can crack an 11-character password consisting entirely of numbers in two seconds.

Cybercriminals are constantly evolving, coming up with innovative ways to crack your passwords. Questioning how often you should change your password or what not to include in your password takes on new importance in the fluidity of the online climate.

Studies show that in 2019, around 21 million unique passwords were hacked. If employees use easy passwords or reuse and rotate the same ones, your business could be at risk of a breach. Some consequences of weak password protection include the following:

Identity theft.
Data breaches.
Blackmail and ransomware.
Computer hijacking.

Lack of password security puts your business, employees and customers at risk. A breach in cybersecurity can result in staggering financial losses — victims reported losses in the range of $6.9 billion in 2021 alone. Adequate password security is an integral part of cybersecurity as a whole.

Common Password Security Threats

Cybercriminals know the common design flaws in password creation and exploit them to gain access to your business information. Although they're always evolving their methods, some common password attacks include the following:

Brute Force Attacks

These attacks are devoid of finesse and throw every possible password combination at your security system with multiple login attempts in the hopes of finding a match. Hackers create specialized programming to attempt trillions of password combinations. Complex passwords provide the best protection against these attacks.

Dictionary Attacks

Hackers rely on our basic word choices to create multiple login attempts. They use malicious programs to test every word in the dictionary and gain access. These attacks can also include personalized attempts relating to where employees live and even what books they read.

Keylogging

Keylogging involves installing malware on your business computers that monitor employees' keystrokes as they type. They can flag often repeated unique phrases and recognize them as passwords. To combat these attacks, your employees must be aware of phishing attacks to avoid allowing malware into your systems.

Password Spraying

Armed with frequently used passwords, hackers test these against an employee's username in the hopes they've fallen back on common words and phrases.

Credential Stuffing

Anyone who has suffered a breach is vulnerable to credential-stuffing attacks. Hackers use your previous passwords — including variations and combinations — to try and log in to your current accounts. People who use the same passwords across multiple accounts are particularly vulnerable.

Phishing Scams

Hackers might pose as legitimate businesses or individuals to persuade users to input their login details, often using cloned websites, malicious links and fake forms. Once the user has given their login information, cybercriminals can install malware and other malicious software on their computer, which can then be transferred across your entire business network.

There are multiple types of phishing, including spear phishing, smishing and whaling. Many of these scams come via email but can also be delivered via text message, video call or even the fake profile of a senior executive within your company.

Insider Threats

Sometimes the cyber threat is within your organization. Human beings are unpredictable and prone to errors. Employees can use authorized access deliberately or accidentally to give malicious cybercriminals sensitive information. If all your employees know your passwords, it creates a severe data breach risk.

How to Create a Safe Password

Organizations have to deal with two primary types of account passwords - those governed by your identity management program and those decentralized and ungoverned, for example, passwords to social media accounts, spreadsheets, and more that may be used and re-used in many places.

For governed accounts, creating a solid and unique password is the first step to preventing password security threats. It's essential you know the basic rules for building a strong password. Here are some quick tips to boost password strength for that extra layer of protection:

Avoid sequential numbers and letters: Hackers are always looking for sequences. They're easy to remember, so people use them often. For extra security, never use combinations such as “12345” or “XYZ."
Keep personal information personal: If it's online or on social media, hackers will use social engineering techniques to find it. Don't include easy-to-access information like birthdays, addresses, pet names or phone numbers.
Stay away from actual words: Stay protected against dictionary attacks by keeping real words out of passwords. Avoid colloquial language, proper nouns and popular media references. Stick to the general rule — if it's in the dictionary, don't use it.
Combine letters, numbers and symbols: The most secure passwords combine non-sequential random letters, numbers and symbols. The more complex, the better — think of the upper and lower case, special characters and number variations.
Prioritize the length of your password: Passwords are more challenging to crack as they get longer. They should be a minimum of 16 characters to mitigate the chances of cyber attacks.

For ungoverned accounts, the above guidance holds true. But better guidance is to use a zero-knowledge password manager like Bravura Safe that autogenerates passwords for every account stored in one password vault for secure retrieval. These unique passwords can be incredibly complex as they do not need to be manually remembered.

Use different passwords for all accounts: Don't fall prey to credential-stuffing attacks. Create a different password for each account. Steer clear of reusing and rotating passwords.

Password Safety Do's

How do you create the perfect password? Here are some quick tips to maximize password security and keep your business information safe:

Do Create a Strong Password

Put yourself in a hacker's shoes for a moment and consider what you would do to get into someone's system, then create a password that counteracts these attempts. Ensure your password contains the following elements:

Both upper and lower case letters.
Random patterns and sequences.
Special characters.
At least 16 characters. The longer the better.

Do Change Your Passwords Frequently

Stay one step ahead of cybercriminals with regular software changes. If they're throwing brute force attacks at your business, they'll have to start again whenever you change. Please keep all your password changes strong and complex.

Do Use an Enterprise Password Manager to Enable Zero-Knowledge Passwords

A password manager encrypts and stores unique passwords for different accounts and sites, which means employees don't have to remember each one and which account you used it for. An enterprise password manager takes things a step further — enabling zero-knowledge passwords.

Zero-knowledge passwords are a vital method of password security software companies use to keep mission-critical information secure. If the server storing your sensitive data suffers a breach, the hacker will have all your information and the means to access it. Zero-knowledge encryption prevents this, as only you can access and decrypt your data — even your security software company doesn't have access.

Enterprise password manages and secures decentralized passwords for your business. The only password you need to remember is the one accessing your password manager.

Do Use a Strong Password for Governed Accounts

Accounts governed by Bravura Security's identity program have synchronized passwords across all systems so you do not need to manually update them in systems and applications. This is a unique feature that covers a broad range of systems and applications, including legacy systems such as mainframe and AS/400. Our customers find this invaluable.

Do Use a Strong Yet Unique Password for Decentralized Accounts

People use the same password for all their accounts because the thought of memorizing many different passwords can be daunting. For accounts that are not managed by your identity program password manager, the key is to leverage a password safe or vault that follows best practices. That way you will never re-use passwords while safely storing them all in one place and maintain the integrity of your security at the same time.

Do Use Two-Factor Authentication

Two-factor authentication adds another layer to your password security. This access management method requires two forms of identification to complete the login process. Even if cybercriminals manage to hack your password, chances are they won't be able to complete the authentication. The most common form of two-factor authentication is text message verification. You can also use push notifications, voice-based authentication and hardware tokens to help your employees keep your data safe.

Password Safety Don'ts

Now you know what you should do to keep your passwords secure, let's look at some of the password practices to avoid.

Don't Use Your Username as Your Password

Your username may be easy to remember, but it's one of the first things a would-be hacker will try. Usernames in any form — reversed, doubled, capitalized or anything else leave you open to malicious attacks.

Don't Use Easily Guessed Passwords

Many people use the same passwords all the time, making them easy for hackers to guess. Avoid generic terms and anything related to your personal information. If it's easy to find out through social engineering, it's best avoided. Steer clear of the following:

Sports and sports teams.
Family member and pet names.
Birthdays, anniversaries and special occasions.
Variations of your phone or social security number.
Variations of the same password.

Don't Use the Same Password for More Than One Site

If a hacker cracks one of your passwords, they will try it on all your accounts. If your password is the same across the board, they will have access to all your sensitive information in minutes.

Don't Create Short Passwords

It may seem like shorter passwords are easy to remember, but this is only sometimes the case. A short jumble of random numbers, letters and special characters looks secure, but it may be more challenging to recall than we assume. They're also more accessible to password-cracking programs.

Don't Share Your Passwords With People You Don't Trust

While it may seem unlikely that anyone would share a password with someone they don't trust, it happens. Guard your passwords and only share them with people when absolutely necessary. If you suspect someone else has seen your password, change it as soon as possible.

Don't Send Passwords to Shared Sites

In cases where multiple employees have to use the same password for a shared site, use a secure link that disappears after receipt. Employees can then transport the password into their enterprise password manager.

Password Safety FAQs

We've answered some common password security questions here to help you and your business stay ahead of the curve. As you need a separate password for every site, please keep these answers in mind so you don't get into dangerous password territory.

What Are the Six Rules of a Strong Password?

These six rules can get you started on the route to creating a secure password:

Use at least eight characters — a minimum of 16 is better.
Use a combination of different characters.
Use at least one uppercase letter.
Avoid personal information.
Use a different password for each site.
Check your password strength with an online tool.

How Often Should I Change My Password?

There's no exact science behind how often you should change your password, but at the very least, you should change your passwords quarterly or every three months. Sometimes it's necessary to change passwords more frequently, like when:

You no longer need or want to share an account with someone.
You've experienced a data breach.
You have a weak or easy-to-guess password.
One or more of your accounts have been hacked.
You have to enter your password on a public device or network.
You or someone else has shared your password over an insecure channel.

What Should I Not Include in My Password?

Aside from personal information, other commonly used elements make passwords easy for hackers to guess. Leave the following out when creating a new password:

References to sports or sports teams.
Dates and years.
Names of people close to you or random names.
Any word found in the dictionary, including curse words and colloquial language.
Proper nouns.
Months, days and seasons.
Favorite foods, drinks and television shows.

Remember the rule — don't use it if it's a real word.

What Are the Most Common Passwords

The most common passwords are the easiest to guess. Despite cybersecurity risks, people are still choosing to keep things simple regarding password creation. Some of the most common passwords people use include the following:

123456
Password
12345
123456789
password1
abc123
12345678
qwerty
11111
1234567

The Ultimate Tool in Password Safety: Zero-Knowledge Passwords

Zero-knowledge passwords offer your company unparalleled password security. They allow your password security software provider to authenticate your login without knowing the password themselves. Using a zero-knowledge enterprise password manager gives your business all of the password security best practices outlined above and has the extra safety measures inherent with zero-knowledge creation and usage.

Your business has the option of mitigating the threat of phishing and brute force attacks with passwordless options. Biometrics is becoming increasingly prevalent as cybercriminals get more creative every year. Passwordless authentication is quick and easy, allowing your business to maintain a competitive edge in cybersecurity.

Protect Your Passwords With Bravura Security

Weak passwords and the resulting data breaches can be catastrophic for your business. Bravura Security can help you navigate your daily challenges with our identity management, privileged access and password management platform — the only one of its kind delivered as one powerful solution to augment your current business security practices.

With decades of cybersecurity experience and award-winning innovations, Bravura Security provides trusted password management solutions. Your company will benefit from effective risk management and protection with the power of one solution. To experience the benefits of Bravura Security first-hand, book a demo today.