On Premises Security

Password Best Practices: Do’s and Don’ts for Your End Users

Share with your network!

The first Thursday in May was declared World Password Day, and it is the perfect day to remind your end users about password best practices and to let them know that weak, unimaginative and easy-to-guess passwords like “123456,” “qwerty” and … well … “password” are poor options for securing accounts and devices. With phishing and stuffing attacks on the rise—and the fact that countless passwords have already been exposed through data breaches—the need for users to step up password management best practices at work and home has never been more urgent.

Intel started World Password Day in 2013 to help raise awareness about the role strong passwords play in securing our digital lives. Nearly a decade later, it’s clear that there’s still much progress to be made. Research for the “2022 State of the Phish” report from Proofpoint found that only 30% of working adults use a unique password for each account. And those who are reusing passwords across accounts, and probably devices as well, are only increasing the attack surface for their organizations and themselves.

The rapid expansion of remote work during the pandemic has helped bring to light another password management bad habit that is ratcheting up security risks for users and businesses: unsecured Wi-Fi networks. Less than two-thirds (60%) of working adults surveyed for the “2022 State of the Phish” report said their home Wi-Fi network is password-protected. And 34% of respondents reported that they haven’t adjusted their Wi-Fi network’s security settings because they simply don’t know how to.

Improving password best practices matters (a lot)

Poor password management creates unnecessary risk for your users and your organization. To underscore the potential risk to your business, simply consider that 77% of working adults responding to our survey for the “2022 State of the Phish” report admitted that they use employer-issued electronic devices for personal purposes, such as checking email, reading news stories, shopping online, and viewing and posting on social media channels.

Equipping your users with password best practices, information, and skills that will enable them to become more diligent and vigilant about password protection and management, can help your organization significantly reduce the risk of data loss and account compromise. You can prevent attackers from gaining easy access to sensitive data or critical information. And you can stop data breaches from spreading across multiple accounts that share passwords.

As a starting point for improvement, try sharing this list of do’s and don’ts with your users to help them improve their approach to password setting for their devices and accounts. Let’s start with the “do’s”:

  • DO use multifactor authentication (MFA); if MFA isn’t an option for the account, use a password manager.
  • DO change all passwords at least twice a year. (Note: It’s best practice to change business passwords more often: every three months.)
  • DO increase the complexity and length of each password to create stronger passwords.

And here are a few password management “don’ts” to keep in mind:

  • DON’T use easy-to-guess passphrases, such as those that include common words or phrases, or names or dates associated with you or your direct family members. (That includes the names of your pets!) Also, avoid using anniversary dates, birthdays, and other details that many of us post on social media platforms all too often.
  • DON’T reuse passwords across multiple systems or accounts.
  • DON’T record passwords on paper.
  • DON’T share passwords — not with your family, friends or coworkers

Help end users build better security habits

As security professionals, we live and breathe security, so best practices and risks are always top of mind. But our users are different: They need constant reminders and education. We can help them by:

  • Providing more frequent training with bite-sized learning content; this approach is much more effective than completing a 30-minute-long training module once a year.
  • Communicating why it’s important to follow best practices that will help keep the organization — and them — safe.
  • Engaging them with security topics that are relevant and making training memorable by tying it to special events, such as tax season, holidays and Data Privacy Week.

These efforts are well worth the investment because even small behavior changes by end users, like not writing down a password on a sticky note and adhering it to their computer monitor, can significantly minimize your organization’s security risk. After all, research shows that 85% of data breaches involve the human element.

So, be sure to use the opportunity that World Password Day provides to raise security awareness with your users and educate them on password best practices to help set them on course to become password management masters.

Get started with these helpful resources

Download the “Beyond Awareness Training” e-book from Proofpoint to learn more about how to change user behavior and build a sustainable security culture in your organization.

Also, try our Security Awareness Training Content. Proofpoint provides samples of our most popular training and awareness series here. This content is designed to keep users entertained, engaged and informed about the latest threats — and help them embrace their role as defenders in your organization.

Strong passwords are key to preventing breaches and data loss. Educate your people on password best practices with our Password Awareness Kit.