Educating Users on Password Management Can Impact Your Organization’s Cyber Posture

Managing passwords can be a frustrating experience for employees but a critical one for protecting organizations. Industry best practices suggest a password reset every 90 days to help mitigate the risk of fraud in case a password has been compromised. This requires users to devise unique passwords every three months. In this process, many users resort to reusing familiar words, dates, or patterns, making it easier for cybercriminals to breach accounts. Additionally, sharing passwords with family members or colleagues introduces further risks.

As data breaches become increasingly common across various sectors, and as threat actors leverage advanced tools and scripts to exploit user behavior, it is essential to examine the approach to password creation.

A cybersecurity strategy that includes password management minimizes an organization’s risk for data breaches, ransomware attacks, and all cyber threats.

At this point, it can be assumed that existing accounts could already be compromised.

So, what does this mean? Across social media accounts or multiple email addresses, there’s a possibility that these platforms have experienced breaches, and credentials could already be in the hands of cybercriminals. These individuals can easily feed common strings of usernames and passwords into automated scripts, furthering their ability to gain unauthorized access.

As part of Cyber Awareness Month, it is an opportune time to enhance cyber hygiene at every level of your organization, including individual password management.

Many organizations have deployed Single Sign-On (SSO) as an authentication scheme that allows a user to log in with a single ID to access systems and third-party sites. Some also subscribe to Dark Web monitoring services that monitor for email domain-based breaches, detecting and alerting IT staff to the discovery of email and password pairs. However, these services rarely include monitoring and protection of their employees’ personal email and social media accounts. In a case where a personal email and password string is intercepted, it is not a stretch for a threat actor to do some reconnaissance on that individual and build a script to use those stolen credentials to target the user and organization.

One of the most powerful steps an individual can take this month is to sign up for a password manager and systematically update passwords across all accounts. An organization’s IT and security team should educate its user-base on the best path for password management. If your organization offers employees an enterprise-wide password manager service, October would be a great time to advertise that capability to any high-risk team likely to share third-party tools and passwords.

Here are some key takeaways to share:

Why Strong Passwords Matter

Weak passwords—like “12345” or easily guessed personal information—are akin to leaving your front door wide open for cybercriminals. Such passwords can lead to unauthorized access to sensitive accounts, resulting in identity theft and financial loss. A strong password serves as your first line of defense and creating one can be straightforward if you follow a few key guidelines.

Tips for Creating Strong Passwords

1. Use a Strong, Unique Passphrase.  A passphrase can be easier to remember while still providing security. You can also create a phrase and then use the first letters of each word to create a complex password that is more memorable. For example, the phrase “My football jersey number was five when I was quarterback!” (Mfj#w5wiwq!) can be used to remember the password.
   • Combine Random Words: Create a passphrase using at least four random words (e.g., appletigerjumpingshell).
   • Length Matters: Use a minimum of 12 characters; 16 is recommended but longer passwords are better and tend to be more secure.
   • Utilize Special Characters: Incorporate punctuation marks and symbols to strengthen your passwords. For example, use characters like @, #, $, and % to increase complexity.
   • Unique Passwords for Each Site: Different passwords for different accounts ensure that if one is compromised, others remain secure.
   • Avoid Common Mistakes: Steer clear of single dictionary words, spatial patterns (like “qwerty”), predictable sequences (like “xyz”), and personal information.
2. Be Unpredictable
   • Choose random, unrelated words instead of common terms. Avoid personal details that cybercriminals might uncover through social media.
3. Embrace Variety
   • Never reuse passwords across multiple sites. Each password should be unique to minimize risks.
4. Explore Passkeys for Verification
   • Use biometrics like fingerprints or facial recognition to add another layer of security. Major platforms like Apple, Google, and Microsoft now support passkeys. Passkeys eliminate the need for users to remember or share credentials, which significantly reduces the risk of phishing. The private key is securely stored on the user’s device, while the public key is registered with the service, ensuring strong, phishing-resistant authentication without shared secrets.
5. Use Your Browser’s Built-In Password Manager
   • Modern browsers like Chrome, Safari, and Firefox come equipped with password managers that can generate complex passwords and alert you to weak ones.
6. Leverage Free Password Generator sites
   • If you have run out of the energy and imagination to create your own passwords, organizations like 1Password, LastPass, Nordpass, Bitworden and Dashlane, offer free online password generators. These sites allow users the ability to create a random password. All you need to do is determine the character length, and if you want uppercase, lower case, numbers and symbols included in this one-time random password. Some of these sites can help with developing passphrases and some offer password strength tests and estimated time to crack your passwords.

The Role of Password Managers

Password managers are invaluable tools that securely store and organize your passwords. They can generate strong passwords and auto-fill them for you, enhancing both your online experience and security. Here are some key benefits of using a password manager:

• Secure Storage: Password managers encrypt your password library, meaning you only need to remember one master password to access everything.
• Convenience: They automatically fill in login credentials, saving you time and effort.
• Alerts for Weak Passwords: Many password managers will notify you if you have weak or reused passwords.

Best Password Managers for Different Browsers

• Microsoft Edge: NordPass works well in Microsoft Edge and offers strong encryption, along with features like a dark web scanner and 24/7 support.
• Chrome: 1Password’s extension offers seamless password management, generating strong passwords and auto-filling logins. LastPass and NordPass are also great options.
• Firefox: Keeper, 1Password, and Dashlane provide robust security features.

Enable Two-Factor or Multi-Factor Authentication

Adding two-factor or multi-factor authentication (2FA/MFA) provides an additional layer of security. When available, enabling it on your important accounts is highly recommended.

The Bottom Line

Creating strong passwords and using password management tools are essential for protecting your digital life. By following best practices for password creation and leveraging password managers, you can significantly reduce the risk of cyber threats. Take control of your online security today—your personal information is worth the effort! 

Additional Resources

• For more information on password managers, consider exploring trusted sources like Consumer Reports, CNET or the following websites:
  • 1Password.com
  • LastPass.com
  • NordPass.com
  • Bitwarden.com
  • Dashlane.com
• Check if your accounts have been compromised using sites like haveibeenpwned.com