Enforce Strong Password Hygiene

Learning Objectives

After completing this unit, you’ll be able to:

Define strong password hygiene.
Explain how password managers protect passwords.

Use Strong Password Hygiene

Password hygiene is as crucial to your internal organizational systems as it is for the credentials you use to access your email, calendar, and other work-related applications. No matter how well an enterprise protects itself against external dangers, passwords still present security threats. This is why you should require users to have unique credentials for all databases and systems they access.

Password risks include using weak passwords, reusing passwords, and improperly handling credentials by faulty storage or encryption (using an algorithm to scramble, encode, and protect). One way to implement strong passwords is to use a password management tool.

Strong password hygiene involves two parts: using unique strong passwords on every service you access, and storing those passwords where they are protected. Let’s review some best practices to keep your passwords secure.

Use Unique Strong Passwords

Use strong passwords on every service you access. It is especially important to take care not to reuse passwords. It’s tempting to reuse passwords or to use passwords that have only minor variations, because maintaining long and complex passwords across several accounts can be tedious. However, reusing passwords is a practice that leaves your organization vulnerable to breaches.

If you reuse passwords, even with minor variations, hackers who obtain the password to one account can then gain access to your other accounts. A number of major security breaches have occurred this way that have affected organizations across a variety of industries, leading to breaches of employee social media accounts, customer bank accounts, and even national security systems. A password manager is a great way to minimize this risk.

Use a Password Manager

While it’s crucial that you set strong passwords, it’s just as important that you guard the secrecy of those passwords. Strong, unique passwords are difficult to remember, so it can be tempting to keep hard copies of your passwords. Unfortunately, this practice can lead to serious security compromises, because hard copies can be exposed, especially in open-plan offices. Next time you’re tempted to write your password on a sticky note or in a notebook, think again!

You may see the term "password hygiene" which refers to following password best practices. Strong password hygiene helps prevent your systems from being breached by attackers. The easiest way to ensure that you’re using strong passwords for your accounts, and that you’re not repeating them, is to use a password manager. Most password managers have randomized password generators built right in, and they collect usernames and passwords in real time. They store these usernames and passwords in a secure database, which means you don’t have to remember a different, strong, unique password for every website.

A laptop in a bubbly bathtub with water streaming out of the shower representing password hygiene.

Your organization may provide a password manager for you, but even if they do not, you can still choose one for yourself. Password managers securely save your sites, manage your logins, generate random passwords, and store them in a secure database without requiring you to memorize complex, strong passwords for every service you use.

What Can and Cannot Be Stored in a Password Manager

While password managers are a great way to implement strong passwords, you must take care not to use them for system administrator or privileged accounts. For privileged accounts, use a vault or privileged key management system that encrypts your secrets.

Follow these best practices when using a password manager.

Match the complexity of your master password to at least the most complex password stored within the password manager.
Choose a master password for your password manager that has at least 16 characters and includes items from these categories: uppercase letters, lowercase letters, numbers, and symbols.
Use a passphrase. A passphrase is a sentence-like string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. You can add spaces, replace letters with special characters or numbers to increase security even further.
Set your password manager to use multi-factor authentication (MFA) for login.

Add Defenses with Multi-Factor Authentication

Many organizations have moved to MFA for identity verification of users before allowing access to systems. Three types of factors can be used to authenticate: 1) something you have, 2) something you know, or 3) something you are. MFA requires you to authenticate using at least two of these three factors.

For example, when you log in, you can use MFA to verify your identity with something you know (like your password) and something you have (like an application on your phone, or a hardware token). Implementing MFA can protect against password attacks, such as phishing attacks, which aim to gather credentials in order to gain unauthorized access to the victim’s computer. When using MFA, even if an attacker is able to compromise your password, they still need access to a second factor, such as your phone, or your hardware token, to compromise your account.

Be sure to always use MFA to access your password manager which provides the greatest level of protection to all the secrets stored there. Different password manager systems require different authentication methods. Those can include a software-based authenticator like Google Authenticator, a hardware-based authenticator like YubiKey, or other methods, like biometrics.

Now that you understand how to protect your personal passwords, let’s take a look at how to protect your administrator credentials.

Enforce Strong Password Hygiene

Learning Objectives

Use Strong Password Hygiene

Use a Password Manager

Add Defenses with Multi-Factor Authentication

Resources