Security Basics: Password Best Practices

August 07, 2017

As a company that regularly performs security audits, we have spent a lot of time reviewing the security policies and practices of companies. Cybersecurity can be a very complicated topic which is why it’s surprising how often we find that one of the most basic security features isn’t properly used: passwords.

Your company can spend thousands upon thousands of dollars investing in the latest and greatest security features, but it will all be for naught if employees aren’t following password best practices. The following are the basic steps you and your employees should be taking to make sure that poor password use doesn’t lead to a security breach.


What Are the Key Components to a Good Password?

A good password should be 12-15 characters in length and include at least one capital letter, one lowercase letter, one number, and one symbol (!,@,#,$,etc.). Avoid bunching up your special characters into either the beginning or the end of your password. Instead, have them sprinkled throughout the password.

It’s also best if your password is a random assortment of alphanumeric characters rather than a word. Many security experts recommend creating a phrase that correlates to your password to help you remember complex combinations. For example, the password “4Bw28StF3#A!” could be remembered by creating a phrase where one word represents each character (Four brothers went to eight stores to find three pounds of apples!). The phrase doesn’t have to make sense. It just has to be memorable.


How Often Should You Change Your Passwords?

This is going to depend on what the password is being used for. Change passwords for places where valuable personal information (bank accounts, email accounts, etc.) is stored more frequently than places of lesser importance. Your work should have a policy in place that states how often passwords need to be changed. It’s common for passwords to last anywhere from 3-6 months.

If you’re trying to determine how often to make your employees change your passwords, make sure the time frame isn’t too short. If employees are forced to change their password every month, many will quickly stop trying to come up with secure passwords.


Don’t Repeat the Same Username/Password Combination

Too many people (myself included) get in the bad habit of using the same username and password combination for multiple different sites. The more places where you use the same combination, the more vulnerable and less effective your password becomes. This is because a password is only as strong as the site to which you trust it.

You’ve probably noticed how often security breaches are in the news. In the past few years, some big brands such as Target, Sony, and Yahoo have lost personal data for millions of their users. If a website that has the username and password you use in multiple places gets compromised, hackers can then try using that combination across various other sites putting even more of your personal information at stake.