password best practices

Password Best Practices: The Frontline of Data-Security

Cyber-criminals have been known to target everything from your business infrastructure to employees themselves, but one of the most common and easy targets are passwords.

In fact, according to a study from Verizon, approximately 80% of hacking-related breaches involve credentials that were stolen or reused, and small to medium-sized businesses (SMBs) were targeted in 43% of all data-breaches in 2019. 

You certainly don’t want cyber-criminals to gain access to your private business data; if your company also handles private user information, a data breach could leave a lasting dent in your reputation and a wave of lawsuits to deal with.

For some businesses, according to a study from InsuranceBee, the added repercussions are simply overwhelming, with 83% of SMBs reporting a lack of sufficient funds to endure this kind of disaster.

With all of this in mind, the key to having a strong front line of defense for data breaches is to employ password best practices, across your organization. 

While secure passwords are indeed a key component of cybersecurity, they shouldn’t be considered the end-all-be-all. 

Password security is a subset of cybersecurity, and like other forms of cybersecurity, its best practices ought to be embedded in your company infrastructure and policies as a surefire way to mitigate individual mistakes. 

If you were to Google “password best practices,” you would, unfortunately, discover a lot of out of date advice. 

But here, you’ll learn the latest details you need to know to keep your business safe in our increasingly data-driven world. 

Common Types of Password Security Attacks

intruder hacking into devices

Before we bring you up to speed on password best practices, it’s important to understand the tactics you’re defending against. 

So let’s take a look at the most common password security attacks.

Phishing Attacks

These attacks have been a primary method of breaching password security since the 1990s. 

The primary goal of a phishing attack is to get your personal information. Hackers may also use this attack to install malware and or a backdoor on your device, often for the purpose of ransoming your personal data or your organization’s data.

What makes phishing attacks particularly tricky is that they try to mask themselves as legitimate emails from legitimate sources. 

For example, you might see an email that appears to be from Microsoft, and the only way to tell that something is off is by:

  1. Noticing a small instance of incorrect spelling and grammar.
  2. Closely inspecting the source of the email to verify its legitimacy.

This is often the most obvious sign of a phishing attack because many of these attacks come from overseas and the cyber-criminals don’t have full command of the English language.

Brute Force Attacks

A brute force attack is when a cyber-criminal attempts to breach your password security by attempting to log in over and over again with different guesses.

This is done using a program to auto generate likely passwords, then repeatedly try each password in their list in rapid succession – sometimes thousands of times per minute. 

There are three different types of brute force attacks: 

  1. Sequential Attack — This is when the attacker goes through various character/number combinations one by one. The attacker might literally enter a sequence of numbers like “1111111” and then “1211111,” and so on. The longer your password, the more time consuming and difficult this method becomes. 
  2. Dictionary Attack — When the intruder tries to break through your password security using a “dictionary list” of common words and/or phrases relevant to your organization. They may also use password caches, i.e, a database of already captured passwords from previously breached systems.
  3. Rainbow Tables Attack — Think of a rainbow table as a large dictionary full of pre-calculated hashes and the passwords they were calculated from. It’s similar to dictionary attacks, except much faster because, while dictionary attacks are optimized for commonly used words and phrases, rainbow table attacks are optimized for commonly used passwords. 

In general, brute force attacks are far less effective than they used to be. This is, in part, because most systems limit the number of password attempts allowed in a given session, and brute force attacks may require millions of attempts to be successful. 

Traffic Interception Attacks

Traffic interception is when the attacker uses a tool like Aircrack-ng or Airsnort to intercept their victim’s wireless data. Once they gather enough data packets, they’re able to break your network encryption and decipher your traffic – including plain text passwords.

Social Engineering Attacks

Remember early in the article when we mentioned that cyber-criminals might target your employees directly? The official name for this is social engineering. 

To put it plainly, this is where the intruder tries to schmooze information from you or your employees. These attempts can be made in emails, over the phone, and even in person. 

Mitigate the risk of social engineering attacks by making sure that the person requesting password information is legitimate. 

If someone says they need the password to something and they claim to be IT, it’s probably an attack because if someone from IT really needed your password, they could just reset it themselves.

Man in the Middle (MITM) Attacks

A man in the middle or MITM attack occurs when the attacker puts themselves in between the communication of a client and their server. 

Let’s say you have an employee who’s using a work laptop and attempts to connect to your server’s through Wifi. 

When the laptop sends a request to connect, it might turn out that a legitimate looking WiFi network was actually a spoofed one created using a WiFi pineapple to intercept the signal and respond to the laptop as though it were the trusted WiFi access point.

Thus, any data meant to be communicated to the server will actually go first to the attacker, including any plain text password information.

The “man” doesn’t necessarily have to be in the “middle” with these attacks. The man could in fact be a malware proxy that was installed on your computer, and the signal could be intercepted at any point in the communication, not just the mid-point. 

Keylogger Attacks

This method of attack is straightforward. It’s when a keylogging software literally saves a log of all the physical keystrokes that you type into your keyboard. 

This is then sent back to the attacker and examined for passwords and other information. 

Best Practices for Strong Password Security

current password security best practices

Now that you’re familiar with the most common forms of password attack, let’s review the current password best practices together so that we can all better protect ourselves and our organizations. 

General Password Security Best Practices

  • Blacklist Common Passwords — A simple way to mitigate the risk of someone guessing your passwords is to blacklist commonly used password choices. This way, employees have no choice but to create non-standard passwords for their accounts that are less likely to be broken through brute force. 
  • Account Lockout — Another way to prevent brute force attacks from succeeding is to lock accounts after a certain amount of password attempts are made. Try to aim for 5-10 attempts before activating the account lockout. 
  • Change Passwords — Make it a requirement in your organization that employees must change their passwords if they suspect their current passwords to be compromised. 
  • Check Password Strength — The National Institute for Standards and Technology (NIST) suggests vetting potential passwords with tools that will test their strength. Many organizations offer tools for this.
  • Recommended Password Length — We recommend making your passwords at least 12 or 16 characters in length. 12 characters gives you over three sextellion possible character combinations, and 16 gives you even more. For even greater protection, consider going anywhere up to 64 characters.
  • Use Single Sign-On (SSO) or Password Manager Applications — SSOs connect you to your business’s various systems and applications so that you only need to remember one password. They’re easy to set up and also streamline the onboarding and offboarding of employees. Popular SSO applications include LastPass, Keeper Business, and OneLogin, just to name a few. 
  • Check for Plain-text — Plain-text passwords make it easy for traffic interception attacks to succeed in stealing your private information. To prevent this, do a periodic check for plain-text passwords in your employee files.
  • Implement multi factor authentication (MFA) — MFAs only grant you access to an application after you showcase two or more pieces of evidence that you are the correct user. This is an effective way to keep hackers from getting into your accounts. When Google sends you a specific code to submit before letting you into your account, you’re witnessing a solid MFA in action.
  • Set a standard Password Reset Time — Have your employees reset passwords once every 90 days. This is incredibly important for your SSO password, which could grant a hacker access to all your applications. Some people suggest changing passwords every 30 to 60 days, but we think that’s a bit overkill.
  • Use Alphanumeric Passwords — A simple way to generate complex passwords is to compose them out of alphabetic (uppercase and lowercase) and numeric characters, in addition to special symbols. Alphanumeric passwords built into long phrases are especially secure. 
  • Password Hints — Some login systems allow you to enter a password hint, like your mother’s maiden name or the model of your first car. We suggest avoiding passwords hints in general since many personal details can be scraped off your social media profiles. If you do use them, make sure the hint information isn’t easily accessible.
  • Keep Passwords Private — Last but not least, make sure that your employees know not to share their passwords with anyone, including IT staff. 

Protecting Against Phishing Attacks

One way to prevent these attacks is to conduct phishing tests, a service that often comes with auditing and compliance services from your managed service provider (MSP). 

We’ve done these tests for many companies to gauge their vulnerability for phishing and other cybersecurity threats; our findings tend to be very eye opening regarding the number of employees that get duped into clicking unknown links or sharing login details. 

Protecting Against Brute Force Attacks

Remember to follow the recommended password length of at least 12-16 characters whenever possible and keep in mind that your passwords must not be dictionary words or commonly used phrases, which are easy to guess. 

For added protection, you can also limit logins to your business’s specified IP address or range, which is also known as geolocation restriction. Keep in mind, however, that remote workers or employees who need on the go access may be limited by your geolocation restrictions. 

We mentioned limiting the number of login attempts earlier, but you should also restrict the amount of time allowed between attempts. 

For example, if someone tried to hack into your account 5 times, you would lock them out of the login system, and they wouldn’t be able to try again for another hour. 

This drastically increases the time it takes to break in brute forces – sometimes the difference between days and years.

Protecting Against Traffic Interception Attacks

The easiest way to defend against this form of attack is to make sure that all your data is encrypted using current encryption standards. . 

Ensure that you’re using the latest versions of transport layer security (TLS) and secure socket layer (SSL) for your emails and other logins. 

Protecting Against Social Engineering Attacks

Protecting against social engineering attacks can be difficult, especially since they can occur in-person without you or your employees even realizing it. 

Outside of doing your best to verify the credentials of someone in an email, on the phone, or in person, one of the best things you can do is to educate your staff on the subject. 

Kevin Mitnick, a former hacker turned cyber-security consultant, has many useful resources that you could share with your employees, including his book The Art of Deception.

Your organization should also implement an internal IT reset policy to verify the identity of IT administrators requesting a password reset. This ensures that you’re actually resetting verified user accounts and not giving them ongoing access. 

And remember: never reveal your passwords or login credentials to anyone outside your organization. You should still be cautious of internal sharing as well.  

Protecting against Man in the Middle (MITM) Attacks 

An easy way to counter MITM attacks is to make sure you’re using up to date SSL and TLS software. Having strong encryptions on your access points will also mitigate the risk of this attack. 

When you or your employees are working remotely, use a virtual private network (VPN). This creates a secure environment for private data from which you can access your local area network. 

Protecting Against Keylogger Attacks

Most anti-virus software mitigates the risk of keylogger attacks nowadays, but you can also use specially designed anti-keylogger software like SpyShelter

How to Protect Your Company from Phishing Attacks

protect against phishing attacks

Because over 80% of reported security incidents involve phishing, let’s dive deeper into the best practices for protecting against phishing attacks. 

Phishing is particularly troublesome because, unlike other cyber-attacks that try to break your password security, phishers just trick you into giving your details away. 

Stay Vigilant

Phishers can be sophisticated in their attacks. They may use real company logos and business emails to make their messages look safe and legitimate, but in these situations, the devil’s in the details. Check to make sure the email address is spelled correctly as Phishers tend not to be English.

Don’t click on any links or attachments in suspicious emails. If you really want to check to make sure a domain it mentions is legitimate, open up a separate browser and manually type it into the search bar. 

Malicious Pop-ups 

Pop-ups are notorious for housing viruses and scams. While some pop-ups are obviously dangerous, others may appear more legitimate. They may display a message about your computer being infected with malware and offering you a link or phone number for help. They may even mimic trusted sources.

To counter these threats, make sure you read the pop-up message closely. If you can’t find any misspellings, bad grammar, or unusual imagery and still doubt it’s legitimacy, simply run an antivirus scan. 

Phishing Tests

As mentioned earlier in the article, conducting a phishing test is one of the best ways to protect against this form of cyber-attack.

A phishing test is when your IT team or your managed service provider (MSP) creates fake phishing emails and webpages which are then distributed to your employees. This test would then reveal how many of your employees were successfully scammed, and you could then educate the affected employees to avoid this mistake in the future. 

Stay Up-to-date on Password Best Practices

multifactor authentication is great for protecting passwords

It’s unfortunate that as cyber-security has become more sophisticated, so too have cyber-attacks. For this reason, it’s important to pay attention to changes in this area.

One day there may be a new password security solution that trumps all potential threats, but until that day comes, keep your eyes peeled and make sure your employees are implementing current password best practices. 

To summarize: 

  • What Are Phishing Attacks? — Phishing attacks appear as emails or webpages that ask you for sensitive information. Their goal is to acquire personal information or install malware which could allow them to hold your data for ransom. 
  • Protecting Against Phishing attacks — Pay attention to suspicious emails and webpages, watch out for malicious pop-ups, and conduct phishing tests within your organization.
  • What Are Brute Force Attacks? — This form of attack is when the attacker attempts to break through your password security by making multiple guesses at your password.Protecting
  • Against Brute Force Attacks — Utilize geolocation restriction and limit the number of login attempts before system lockout activates. Also, restrict the amount of time allowed between attempts. 
  • What Are Traffic Interception Attacks? — This is when the attacker intercepts your data wirelessly to gather data packets. With enough data packets, they may be able to break through your data encryption. 
  • Protecting Against Traffic Interception Attacks — Make sure that your organization is using the latest transport layer security (TLS) and secure socket layer (SSL) software.
  • What Are Social Engineering Attacks? —  This form of attack involves the intruder trying to trick you or your employees into handing over sensitive information in emails, over the phone, or in person.
  • Protecting Against Social Engineering Attacks — Educate your staff about the tactics of social engineering attacks, implement internal IT reset policies, and never reveal your passwords to people outside your organization. Be cautious of internal password sharing.
  • What are Man in the Middle (MITM) Attacks? — MITM attacks occur when the hacker puts themself between the communication of you and your server to receive any data you would have sent to your server.
  • Protecting Against Man in the Middle (MITM) Attacks — Counter MITM attacks with up-to-date SSL and TLS software, and if employees are working remotely, make sure they’re using a VPN. 
  • What are Keylogger Attacks? — Keylogger attacks involve an attacker using keylogger software to log the string of keystrokes typed into your keyboard. 
  • Protecting Against Keylogger Attacks — Having up to date anti-virus software should protect your company from keylogger attacks, but you can also use anti-logger software.

Strengthen Your Front Line of Defence


strong password security in place 

Approximately 62% of SMBs lack the appropriate in-house skills needed to deal with cyber threats effectively. 

Given the growing prevalence of data-breaches, having proper cybersecurity in place is becoming as necessary for business as the internet itself. 

But if your organization has yet to implement these password security best practices, it isn’t a question of if you’ll experience a data breach, but rather when—that’s a concern that no employer should have to live with on a day-to-day basis. 

Our IT Security and Compliance Audit services take some weight off your shoulders, allowing you to dedicate less time worrying about threats to your password security and more time running your business.