Thought Leadership

Do You Practice Good Password Hygiene?

password policy(October 2020) Most people understand the basics of good personal hygiene — wash your hands, cover your face when you cough or sneeze, and so on. When it comes to good password hygiene, however, recent research indicates that we still have some work to do.

Poor password practices continue to be the leading contributor to cybersecurity incidents. More than 80 percent of all confirmed data breaches can be traced to compromised passwords, according to Verizon’s 2019 Data Breach Investigations Report. Research indicates phishing attempts and password hacks have increased by upwards of 300 percent since millions of Americans began working from home.

Password fatigue is part of the problem. An average person has between 70 and 80 unique passwords, according to new research from NordPass. Password fatigue encourages a range of risky practices intended to make passwords easy-to-remember (but easily guessed). The NordPass study found that hackers can crack around 70 percent of the most popular passwords in less than a second.

Malicious hackers have invested significant time and effort into analyzing data from security breaches. This data often includes not only sensitive personal information but also lists of passwords. Using this trove of harvested information, the ”bad guys” have been able to fine-tune their attack methods to focus on commonly used passwords. Cybersecurity researchers have also analyzed this information, allowing the “good guys” to gain valuable insight into the password habits of users across the world.

Password length and complexity play a significant role in how quickly a password can be compromised. For example, of the 30 most used passwords, none were more than 10 characters in length or considered complex, and all could be cracked or guessed in three minutes or less.

Password reuse is another problem. If an attacker gets your credentials for one site or service, they most likely will try to use it on your corporate network, email, banking site, or other high-value targets.

Following are some best-practice recommendations that can help you minimize the risk of compromised passwords:

Implement an education program. Consistent training and education programs reinforce the need for employee diligence. Training materials should include information on common cybersecurity mistakes employees make and how to avoid them.

Create a password policy. Have a written policy describing specific rules employees should follow — but remember the human equation. If the policy is too stringent, employees won’t follow it. Strike a balance between security and ease of use.

Encourage and enforce the use of strong passwords. Passwords should include special characters, numbers, upper and lower case letters, and even misspelled words to make them more difficult to crack. Passphrases of at least 15 characters are even better. Consider requiring passphrases for administrator accounts.

Never share passwords. Research shows that organizations commonly share passwords with third-party partners, contractors, and colleagues. While that may streamline workflows, it is a risky practice — particularly for administrators who have access to systems and applications.

Don’t reuse passwords. Create a unique password for each account, app, or service. Otherwise, a breach of one system can result in other accounts being compromised.

Use multifactor authentication. Requiring users to present two or more pieces of identifying evidence helps ensure systems remain protected even if a password is compromised.

Delete old accounts. It’s a good idea to occasionally take stock of systems, applications, and services no longer in use. Deleting old accounts and the associated credentials can help keep credentials from being exposed in a breach.

Use a password manager. Password managers allow users to create and store unique passwords for all their accounts. Most work by encrypting a list of passwords with a single master password that only the user knows. The best tools also include a built-in password generator that ensures passwords are complex, difficult to guess, and changed frequently.

Complex passwords may be inconvenient and cumbersome, but they remain an important first line of defense against a multitude of cyberthreats. However, careless password practices can create an enormous risk for you and your entire organization. Practicing good password hygiene is essential for maintaining your organization’s digital health. Mainstream Technologies offers a range of solutions and expertise to help secure and maintain your technology assets. Contact us today for more information.


Since 1996, Mainstream Technologies ( has established itself as one of the most respected technology companies in Arkansas. Our team of experienced technology professionals deliver a full range of technology services, including IT management and consulting, custom software development, cybersecurity, and data center services. With headquarters and data center facilities in Little Rock, and sales offices in Conway and Bentonville, Mainstream serves public-and private-sector customers across the United States.

Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile

Contact Us

  • Industry

  • Category

  • Regulation

  • Solution