Have you seen the meme about needing to rename your dog now that your password has been stolen? We all have ways to make everyday tasks feel easy and comfortable—and setting up passwords for accounts and services often falls into this category. Many passwords are used daily, or multiple times in a day, so people want passwords that are easy to remember and fast to type.
As security professionals, we recognize that password strength is a safeguard for personal and professional data. Weak passwords are more easily guessed or cracked. However, the question of "How strong is my password?" is often overlooked by the average person, like your employees.
We might also recognize that password effectiveness is on a downward slope. Features like multifactor authentication (MFA) add a security layer, but people get frustrated with the additional task. Also, complex attacks such as MFA-bypass techniques and reverse proxy services such as EvilProxy can increasingly get past this account protection. It’s essential for security professionals to continually evaluate and adapt newer approaches such as FIDO authentication and other passwordless methods.
In this article, we will help you motivate your employees to do their part by providing effective strategies that will help them create stronger passwords and gauge their strength.
Security consequences at work and home
How do you explain the consequences of using a weak password? It’s helpful to emphasize that employees might accidentally expose sensitive information that hurts them both professionally and personally.
At work, a weak password might give access to office computers or the company network. The attackers can install malicious software (malware) which could lead to financial loss, data loss or data theft for your organization. Depending on the size and impact, this breach could negatively affect the company’s health and reputation—and ultimately that person’s job.
At home, a weak password might give access to personal accounts such as banks, credit cards, emails and social media. This credential exposure could hurt not only the person but also their family members, colleagues or friends. For instance, threat actor getting into their Venmo account will see their personal credit card data and the history of transactions with people they know.
We are creatures of habit, so the way you set work passwords at work is often the way you set personal passwords. It’s natural for people to be most concerned about their home life, so there is great impact in relating the domino effect of password security.
Four common mistakes of weak passwords
Before you explain how to set a strong password, it’s useful to share the common mistakes that people make in creating weak passwords. You can evaluate the weakness of a password by looking at whether it is personal, ordinary, simple and predictable.
Here are four essential password “DON’Ts”:
- Don’t use identifying words. Avoid words that are personally identifying or publicly available such as your name, birthday, street address, email address or account username. Attackers can leverage a person’s background and history for educated password guesses—especially if that attacker is someone who knows you.
- Don’t use family words. For similar reasons, avoid names, numbers and dates that identify your children, animals or parents such as their age, name or birthday.
- Don’t use real words. Avoid words that are straightforward or straight from the dictionary, such as “puppy” or “puppydog” or “puppy1.” Attackers can run software that processes every word in a dictionary to crack passwords.
- Don’t use simple patterns. Avoid a string of characters that are consecutive numbers or a part of the alphabet, such as “1011121314” or “ghijklmn.” Attackers can run comprehensive lists of frequently used passwords to test against a password.
In summary: A weak password uses personally identifying words, family dates or names, dictionary words, or simple character strings. The password might be easy to guess because the information is related to a personal history or private life, or because the words or numbers are commonly used or well-known constructs.
Four guidelines for creating strong passwords
Now it’s time for guidelines around setting strong passwords. The strongest passwords are difficult for someone else to guess while still relatively easy for you to remember. You can ensure the strength of a password by being strategic about making it long, complex and unpredictable.
Here are four strategic password “DO's”:
- Make the password long. The recommended length is 10 or more characters, even if the minimum required length is only 6 or 8 characters.
- Mix together character types. The password should include numbers, symbols, and both uppercase and lowercase letters.
- Use multi-word patterns. Instead of basing the password on a simple word like “puppy,” base it on a phrase like “small brown puppies are cute.” Alternately, string together an unexpected combination of words like “puppy hotdog football.”
- Add a mnemonic trick. Use a base pattern that is easy to remember because it’s memorable to you, such as “I love to bake cookies” or “my honeymoon was in Spain.”
In summary: A strong password uses 10 or more characters and a mixture of uppercase letters, lowercase letters, numbers and symbols. The password should be difficult to crack because it is not tied to information that is personal, private, standard or often used.
Key guidance for setting unique passwords
A key password best practice to communicate is both a DON’T and a DO: Never use a password more than once. Always set a unique password for each account or service to prevent a domino effect if there is a security breach.
You could set up a highly secure password using all of the “DO's” listed above. But if you use that password across different accounts, you are risking the security of every account. Once a login credential is exposed, the attackers will try that same combination many more times.
Earlier in this article, we discussed the overlap between professional and personal security habits. This topic is a great way to help employees understand the key guidance of setting unique passwords for each account. Whether the password is related to business or home life, once it is compromised, all the accounts and services using that password are vulnerable.
Two tools to generate and manage passwords
As a security professional, it’s important to remember that your employees might find it difficult to create unique passwords. And that’s before encountering the requirements of an account or service for certain rules of creation and extra security measures such as predefined questions.
You can recommend two helpful software tools: The password generator and password manager.
Unpredictability is critical for creating a strong password. A password generator can create passwords that use randomized elements to remove any discernible pattern. The generator might randomly combine uppercase letters, lowercase letters, numbers and special characters. Or it can create a more customized randomness by stringing together unrelated characters or unrelated words. Either way, the generated password is harder to guess or crack.
A strong password, especially one created by a password generator, might be complicated to remember. A long list of strong passwords is even more challenging. That’s why a password manager is often used as a simple secure method to encrypt passwords and store them in one cloud-based service. You create (and remember) a master password to unlock the password manager and access all of your login credentials, instead of having to remember each of those credentials separately.
Password safety is natural, easy risk reduction
Setting safe passwords should be a built-in behavior for your employees, as an integral part of reducing security risk to your organization. Since people often find it challenging to create strong unique passwords and manage them safely, it’s valuable to teach them best practices and encourage them to use those practices both at work and home. If the behavior feels easy and becomes natural, the employee might be a security advocate to their coworkers, family and friends—and feel confident about naming that new puppy after a childhood street address.
For more insights into how strong passwords and account management can help your organization, consider these free password awareness kits created for World Password Day Awareness and the upcoming Cybersecurity Awareness Month.
Subscribe to the Proofpoint Blog