Skip to main content

Back to Blog

Rules for Effective Password Protection

In the current business landscape, the largest threat to an organization is a data breach. Data breaches end up costing businesses a significant amount of lost time and revenue and can lead to a loss in consumer confidence for the business as well. So then, what is the largest reason leading to a data breach? According to Verizon’s annual report, it is overwhelmingly due to stolen or weak passwords, which many organizations overlook, in favor of more traditional edge and endpoint security practices. Adopting good password hygiene practices is one of the easiest and most effective ways to stop these costly data breaches. Below we offer the most effective ways for any organization to improve their password protection policies.

One of the largest weaknesses in the security of an organization is the people internal to the organization. Most of the time these people are not acting maliciously but create a security risk for the organization due to negligence. Tools and training exist to combat this negligence by educating users about risks such as the dangers of phishing emails and social engineering attacks. By teaching users about common attack techniques, they will be better equipped to identify the warning signs of an attack and eliminate the vulnerability that arises through negligence.

  • Long Passphrases Are Better Than Passwords

One of the easiest ways to immediately improve password protection is to require your users to create passphrases rather than simply use passwords. The longer a passphrase that users create, the harder it becomes for hackers to brute force a user’s account. Doing things like simply substituting letters for special characters is no longer viable for protecting a password with the tools that hackers have at their disposal. The newest recommendations from NIST show that creating passphrases up to 64 characters in length are far more effective against brute forcing than a complex password with numbers and special characters will be.  Many users must create multiple passwords to carry out their daily activities and often rely on password saving features in web browsers to make it easier to carry out their day-to-day routines. Allowing them to create long passphrases that are easy for them to remember will eliminate the risk of them simply creating a shorter complex password that will be easier for a hacker to crack and ultimately lead to a data breach.

  • Passwords Should Only be Changed When Needed

Forced periodic changes of passwords are problematic for businesses. One of the main reasons is that users tend to just reuse the same password, only altering it slightly, usually by doing things like changing one letter or number in the password. This makes it easy for hackers to guess new passwords if they have somehow gotten ahold of an old password. The other problem with frequent password changes is that it makes it far more likely that a user will physically write down their password to remember what the new password is. This is obviously a major security risk and something that should be averted at all costs. Best practices according to NIST are to only force users to reset their password if the password has potentially become compromised.

  • Implement Blacklists of Common Passwords

Most hackers will start an attack by trying to guess the easiest and most commonly used passwords based off of databases they have at their disposal. A best practice for organizations is to create a blacklist of these commonly used passwords; therefore, whenever a user attempts to create a new or weak password and it matches anything on the blacklist, it is immediately blocked.

  • Lock Accounts After Failed Login Attempts

An additional step to take is to create user accounts with a set number of failed log-in attempts for the account. This way if a hacker does attempt to brute force a weak password, the account will be immediately locked once the threshold for failed log-ins is reached, and they will be denied any access.

Adding multi-factor authentication is a well-proven way to prevent unauthorized access to user accounts. To achieve the greatest level of security through multi-factor authentication, organizations should layer as many different layers of authentication as possible. There are three common factors for authentication: Something you know, something you have, and something you are. “Something you are” has typically been the hardest form of authentication to implement. It is becoming more common with improvements in technology since it tends to require things like biometric scanners, which are now commonplace through the use of fingerprint scanners on mobile devices. “Something you know” and something you have are easy to implement. “Something you know” is the easiest and most common form of authentication since it will be a user’s username and password. Something you have can be deployed now as a code sent to your mobile device or a physical USB token held by a user. Requiring multi-factor authentication before users can access critical infrastructure is a great way to reduce the risk of a data breach.

  • Utilize Password Hashing

Ensuring passwords are hashed is a great way to prevent a data breach. Organizations will want to avoid enabling any sort of reversible encryption for their passwords as these can lead to serious consequences if a hacker gains access to the password database where they could then easily crack any of the passwords. Password hashing should be combined with non-reversible end to end encryption so that passwords are kept secure while in transit through the network. Organizations should also avoid ever storing their passwords in a plain text file since this will give hackers access to all of their passwords in the event that they ever gain access to the file.

  • Privileged Users Require Additional Protections

Privileged users have access to the most sensitive data within an organization. There are multiple actions that can be taken to provide an extra level of security for these accounts. One thing to consider is adding an addition login URL just for these users. It is also good practice to give those accounts only one single sign on attempt and lock the account if the login fails.


Password security is an important and critical aspect of any organizations security policies. Stolen and weak passwords are the most common cause of data breaches, but with good password hygiene practices, these costly and time-consuming breaches can be avoided.