How strong is your password? | Password management best practices

November 2, 2023

Although cybersecurity technologies are constantly developing, passwords remain one of the core elements of cyber defence. Passwords protect your business from data theft, ransomware, account takeovers, and many other threats that are constantly looming.

With the majority of business information now being stored digitally, it is vital that you know how to develop a strong password management strategy to add rigour to your information security and overall cyber hygiene. 

Data breaches

Data breaches are the most common and costly cybersecurity incidents for businesses worldwide. In the event of a data breach, sensitive, classified, and otherwise protected information is leaked without the knowledge or permission of the system’s owner. 

During the first quarter of 2023 alone, more than six million data records were accessed by unauthorised sources. While attacks may be caused by insiders with malicious intent, most data breaches are performed by organised criminal groups

Bad actors can access confidential data in numerous ways, with password theft being a popular route to take. Many end users do not practise the habit of designing unique, intricate passwords, making this a vulnerable point in a lot of personal and organisational security systems.

Common password attacks 

Password theft is a major risk businesses face daily when it comes to storing and guarding sensitive data online. Just over 80% of all data breaches occur due to password cracking. 

Hackers take advantage of weak and reused passwords, employing different techniques for cracking these codes:

  • Brute-force

Attackers can break into password-protected computers, networks, or IT resources by using automated bots that run a large number of possible passwords. This is known as a brute-force attack.

“Dictionary attacks” are a prevalent form of brute-force attacks, where hackers use software to systematically input almost every word in the dictionary into password fields to solve an entry key. Commonly used phrases and numbers that often replace characters are usually included in the tool’s dictionary, which can swiftly lead to cracking passwords. 

Many individuals use ordinary words to protect their accounts, so this approach continues to result in persistent cyber security infringements. 

  • Password spraying

If a hacker possesses a stolen list of usernames but does not yet have their correlating passwords, they may turn to a simple game of guessing, also known as password spraying.

Countless end users choose the same basic passwords, which hackers repeatedly guess correctly. Some of the most frequently applied passwords include: 

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 666666
  • 111111
  • 654321
  • 123321
  • 1q2w3e
  • default
  • qwerty
  • qwerty123
  • password 
  • qwertyuiop
  • iloveyou
  • abc123
  • 0

  • Phishing 

An attacker may steal passwords by tricking users into entering their information on a false login screen. Victims are usually lured into the trap via a fraudulent text message or email linking to the login page, which imitates a real site. 

Human error remains one of the greatest vulnerabilities to password security. It simply requires a momentary oversight to fall prey to a hacker’s scheme. 

  • Social engineering

Phishing falls under a greater class of cyber attacking known as social engineering. Social engineering manipulates people into authorising certain actions or disclosing confidential information without knowing they are being attacked. These cons are performed via email, text, or phone calls by scammers pretending to be high-ranking managers who may not be well-known to their employees on the ground.

  • Keylogging 

By tapping into a keyboard through malware, hackers can record the keystrokes and use the patterns they pick up to determine which ones might make up a person’s passwords.

  • Shoulder surfing 

When an attacker is physically able to look over your shoulder and watch you type out your passwords, they can steal your credentials with their eyes. 

This is why writing out passwords is also never a good idea, as your master document can be stolen by anyone with maligned intentions.

  • Default passwords 

Many hardware devices come with default login details that are no secret. If you have never changed the password to devices like your WI-Fi router, chances are a hacker will easily gain access to them. 

Password management in your business

Password policies consist of rules that improve password security and encourage your employees to create complex passwords that are safely stored and utilised. A robust strategy for password management is crucial to keep you, your employees, and your information safe. 

Learn how to generate strong passwords


Get yourself into the habit of practising password development that can stand against attacks by including each of these key elements: 

  • More than 9 characters (the longer the better - up to 16 characters is much safer today rather than sticking to the traditional “at least 8-characters” rule).
  • Combine upper and lower case letters.
  • Include a few numbers. 
  • Use less common special characters such as ]”{};?/|~,
  • Don’t include any words or phrases that are tied to personal information - stay clear of phone numbers, house addresses, pet or children’s names, and area codes, to name a few.
  • Avoid words that can be found in a dictionary. Use phrases with incorporated shortcut codes, acronyms, or number substitutions for more random strings of characters. 
  • Make use of password managers. These will help you generate irregular passwords and store them securely so that you won’t be tempted to write them down anywhere to remember them. 

Educate your team on password best practices 

Teach your employees about the importance of good password hygiene, covering how to identify phishing attempts, how to build strong passwords, why not to reuse them across sites, and when to change them. 

Highlight what a data breach could mean for the business and ultimately the livelihoods of your employees. Some people do not know about the dangers of being neverminded with password creation and would come onboard if they just had a better understanding of the cyber landscape. 

Implement random password changes 

In the past, organisations were taught to implement routine password changes, typically every 90 days. The issue with this policy is that hackers can pick up on the pattern and adjust their tactics accordingly. Employees end up getting frustrated with complex, ever-changing passwords and either begin to store them unsafely or default to simpler passwords which in turn open up weak points in the security system. Today, it is much safer to empower your employees to change their passwords on random occasions and to use password managers to store them. 

Use privileged access credentials 

Privileged passwords offer higher levels of access and permissions to accounts, applications, and systems that not all of your employees or even machine identities need. Contrary to personal accounts, privileged credentials should be regularly changed, sometimes even after every use to protect extremely sensitive data.

Change passwords when an employee leaves your company 

It is unfortunately not uncommon for former employees to misuse their access to a company’s networks, systems, and data for their own benefit or simply for revenge. To prevent insider attacks, be sure to perform a password overhaul when an employee leaves your business. This will make their user information null and void and keep your data secure from unexpected invasions. 

Apply password encryption 

End-to-end, non-reversible encryption protects your passwords even if they fall into the hands of a hacker. Encryption converts data into scrambled text, which is unreadable and can only be decoded via a special key. As passwords travel across the network, end-to-end encryption jumbles them, making them far more challenging to crack.

Enforce multi-factor authentication 

Multi- or two-factor authentication requires identity confirmation after inputting a password via a one-time pin sent to your mobile phone, answers to security questions (stay clear of inputting personal information!), or biometric identification. This means that guessing a password correctly would not get a hacker very far in gaining access to your data. 

Multi-factor authentication has become a standard for managing organisational resources. 

Audit your passwords regularly

Alongside training your staff on the importance of password security, you should routinely audit their passwords to confirm they are strong and cannot be found on dark web data breaches. Some employees may recycle old passwords simply to meet company policies. The danger of this, however, is that attackers may have guessed those passwords previously and added them to their dictionary of keys to try. 

Be vigilant and update security software

It won’t matter how strong your passwords are if a hacker is keylogging your keyboard activity. Be sure to install the latest versions of anti-malware and vulnerability management solutions to make it as difficult as possible for an intruder to come near your credentials.

Use a password manager 

Password managers are designed to help users generate high-strength, unique password strings which are stored in personalised, encrypted digital vaults. They can be accessed from any device and prevent employees from turning to easy, memorable passwords, reusing the same passwords across sites, and writing them down.

To protect password managers, users should create a master passphrase including all of the elements we listed earlier. The plus point is that there will only be one password to remember, so encourage your employees to make their key strong and to never share it with anyone. In most cases biometric authentication can also be added to layer the security of a password manager.

Passwords hold the key to most of your business’s indispensable data, so it is imperative to take password security and management extremely seriously. Work with your team to create a healthy culture of password hygiene and protect what you have built from malicious cyber trespassers. 

At ITRS, we help you build powerful cyber defences by identifying vulnerabilities in your current cyber security system, identifying cyber threats and their potential consequences, and assessing the overall risks involved. We are solution oriented and dedicated to preventing intruders from gaining access to your core intel at all costs. 

Contact us for more information and be sure to read up on our comprehensive risk management offerings to better understand how we can be at your service

Back to blogs
Three planes flying in formation

ITRS = Business - Risk ²

These powerful solutions can be tailored to meet the unique requirements of your business.
If you would like to learn more about how your company can benefit from a more agile approach, greater ease of use and flexibility, secure cloud infrastructure services from ITRS are the answer.

Get started today
Search Website