Password Strength Best Practices

A recent study by the National Cyber Security Centre (NCSC) in the UK found that millions of Brits are using their pet names for online passwords while 14% of the population are using a family member’s name, 13% a notable date, and 6% are still using “password.” For cybersecurity professionals, these results are very alarming, as hackers can easily obtain this information from social media and other sources containing personal information, making an account breach almost inevitable.  

Common Poor Password Practices to Avoid:  

1. Adding a letter or number to the end of an existing password (e.g., ACAaponix1, ACAaponix2, ACAaponix3, etc.) 
2. Reusing passwords 
3. Using easily predictable or personally identifying words (e.g., password1, summer2021) 
4. Writing passwords down 

Since passwords have become our golden ticket to accessing online accounts, it’s critical to create robust and secure passwords to prevent your susceptibility to an account breach. Modern hacking tools can cycle through every possible eight-character password containing mixed-case letters, numbers, and symbols in only a few hours. While remembering a unique password for each account is admittedly cumbersome at times from a user-perspective, it beats the alternative of facing and recovering from an account breach.  

Our cybersecurity professionals recommend the following best practices for creating and managing passwords to help protect your accounts from a cyber-attack:  

• Use passphrases consisting of randomly linked words of 15+ characters. 
• Include special characters, not just letters and numbers. 
• Do not use dictionary or personally identifying words, even when combined with a number. Avoid commonly used words like “password” and “welcome” or personal information such as your birthdate, hometown, or pet’s name.  
• Do not re-use or transform passwords, such as by adding a number to the end of an expired password. 
• Do not use the same password for multiple accounts. 
• Do not allow exemptions for password length or expiration, even for senior management and IT administrators. 
• Enable multi-factor authentication whenever possible. 
• Do not store passwords in an easily accessible location, such as a file on your computer or a note on your desk or computer screen. We have seen cases where stolen, unprotected password files from key staff members have resulted in financial losses for firms. 
• Use a password manager application to generate and securely store multiple complex passwords. 

If you have any questions about passwords or other cybersecurity measures, please contact us here.

Cybersecurity resources and best practices

Visit our cybersecurity resources and best practices center.