Good Password Hygiene

The average individual showers, brushes their teeth, combs their hair, and does their laundry. In other words, most people try to practice basic personal hygiene. This begs the question: if we’re vigilant about keeping ourselves clean, why are we so lax when it comes to practicing good password hygiene? No, your health probably isn’t going to suffer from a terrible password. However, your online privacy and security might.

Password hygiene is the practice of making your account passwords more difficult to guess and harder to crack. It is the set of rules and principles by which you keep yourself safe online. For businesses, this can be particularly important, as poor password hygiene puts a huge target on your back. The following are some tips on how to keep your passwords squeaky-clean.

Tip #1: Start with a strong password.

One of our previous blogs has excellent instructions on how to make a strong password. As a general rule of thumb, passwords should be both long and complex; that is, they should be 12+ characters and include uppercase letters, lowercase letters, numbers, and punctuation marks. Don’t use easily guessed information or information that can be easily found through basic internet snooping, such as your birthdate, your pet’s name, your child’s name, your favorite sports team, etc. Take a look at this list of passwords:

1)      123456 6) 123456789
2)      Password 7) letmein
3)      12345678 8) 1234567
4)      qwerty 9) football
5)      12345 10) iloveyou

Have you ever used any of them? Change it. Right now. These are the top ten most used passwords of 2017, and using one of them is like leaving your front door key in the lock. It’s an invitation to walk right in.

Tip #2: Change your passwords regularly.

Changing your passwords may sometimes feel like a never-ending cycle, and unfortunately, it nearly is. Currently, it is considered best practice to change your password every 30-45 days, particularly if you’re not using MFA. (Though you should be! See tip #4!) This shortens the amount of time a password is useful to a hacker if they are able to obtain it. It is also a requirement for certain companies that are subject to compliance regulations like PCI DSS. While it may seem like another annoying step, it’s better to be safe than sorry.

Tip #3: Don’t share passwords.

There are a few things under this umbrella. First, don’t share accounts. The more people who have access to a single account, the more chances there are for the account to be misused. If it is misused, you’re going to have a hard time identifying the perpetrator. Second, do not leave your password laying around, such as on a sticky note or piece of notebook paper, where someone else can access it. If someone physically gets into your workspace, they won’t even need to put effort in to get to sensitive data.

Tip #4: Turn on MFA.

Turning on multi-factor authentication (MFA) can be a life saver. You are never 100% safe from cyber-attacks; despite your best efforts, someone may still obtain your password. MFA adds an extra layer of security to protect you in the event that one of your passwords is compromised. We have another blog on what MFA is and why you need it here.

Tip #5: Don’t use the same password for every account.

This is probably the most inconvenient of all the tips. However, it may also be the most important. There will always be breaches, criminals, and hackers that come up with new ways to get your password. No matter how strong your password is, if you use it on every account you have, you’re making it easy for someone else to completely take over your digital life. If one account gets hacked, all of them get hacked, and you’ll have a hard time recovering from that. Keep your passwords substantially different; if you can’t remember them all, consider using a password manager. For information about helpful programs, scroll to the recommendations in this blog.

Password hygiene is your responsibility. Your IT Administrators can put technical policies in place that require certain password lengths, complexity, and expiration dates, but no one can force a user to come up with a good password. Teach your employees the importance of password hygiene. Without the knowledge they need to make smart password decisions, you’re setting them (and yourself!) up for failure.