The Do's and Don'ts for Building a Strong Password

Cyber Security Awareness Series

October is Cybersecurity Awareness Month, a perfect time to revisit one of your most important digital defenses: your password.

While there are increasingly more ways to log in without passwords, like biometrics, passkeys, and single sign-on, passwords haven't gone away yet. So when you need to set one, make it strong.

A strong password is your first line of defense against attackers. Yet passwords like "ABC123" or "password" remain surprisingly common, despite being laughably easy to crack. In this article, we'll explore why passwords matter and provide clear guidance on what to do and what to avoid.

Passwords are sequences of characters that grant access to computer systems or services. They serve as the initial barrier protecting your sensitive information from unauthorized access, separating legitimate users from potential threats. Strong password practices are essential components of any robust security strategy. The responsibility for strong passwords falls on everyone. A single breach can put an entire organization at risk. While protecting administrative passwords is crucial, even regular user accounts are attractive targets: they're often the entry point attackers exploit to eventually reach higher-privileged accounts.

The Don'ts

1. Don't use personal information in your password.

Attackers can use personal information like birth dates, ages, family and friends' names, anniversary dates, pop culture/sports references, and even pet names. Basically anything that can be tied to you personally. So ditch that password that has the name of your favorite pet followed by your birth year or your kids' names and ages.

Bad examples: Lucky2001, FootballBrady12, Angelia14oliver6

2. Don't write down your password or store it in an unprotected app on any device.

Anyone who is able to steal your device or hack it can easily find the notes app and find all your passwords. Probably should shred that sticky note that you keep in your top desk drawer with your login that you always forget. Use a password manager like Bitwarden.

3. Don't use the same password for all your accounts.

If an attacker figures out your password for one account, they have access to the rest if you share that password across accounts. Which is really bad if you share passwords with the organization you work for, making you a liability. As with the previous example, a password manager can help you by generating random passwords for sites that are not used elsewhere.

Bad example: Twitter: Matthew1993 / Bank account: matthew1993

4. Don't use words that can be found in the dictionary.

An attacker can utilize a dictionary program to guess your password. Having a password with one word is easy for you to remember, but also easy for an attacker to guess.

Bad examples: Flamingo2, Blu3jays!

5. Don't use sequential numbers, the alphabet, or keyboard combinations.

Using sequential numbers, the alphabet, or keyboard combinations are predictable. They are really easy to guess, and you aren't being "clever" by sliding your finger across a row of keys.

Bad examples: Qwertyu, 45678

The Do's

1. Do use a longer passphrase.

Having a long password can make it harder for attackers to crack. Just because it's long doesn't mean it has to be boring. You can pick a quote from a book, movie, or video game. You can also create your own phrase as well.

Good examples: "Hello, my name is Inigo Montoya. You killed my father. Prepare to die." or "When I was your age, television was called books"

2. Do use a random password.

You can use a password generator that is included with your password manager, such as Bitwarden. (Can you tell we like Bitwarden?) You can also come up with acronyms, abbreviations, code words, or even smiley faces if you are up to it.

Good example: c3N^pUN%RB*GbrPXa^9dp5ZYxbKNLo

3. Do use a password manager.

Creating a longer and random password can be difficult to remember, especially if you are changing it every three months. Luckily we have password managers to help with that. Not only do they keep your passwords safe, they also use multifactor authentication and have password generators to help you create secure passwords and a secure vault to keep them.

Some recommendations: Dashlane, KeePass, Bitwarden (our favorite)

4. Do use MFA.

MFA stands for Multi-Factor Authentication. MFA is a security method that requires users to provide at least two forms of verification, such as a password and biometrics, a password and an authenticator app, or a password and a cryptographic key, to access a system or account. It enhances security by adding multiple layers of authentication to your account, making it quite difficult for an attacker to get in.

Authenticator app recommendations: Google Authenticator, Authy, Microsoft Authenticator

In conclusion, strong passwords are your first line of defense in the digital realm. They protect sensitive information and distinguish between authorized users and potential threats. Whether you're an admin or a regular user, everyone plays a role in ensuring strong security. So, choose your passwords wisely to safeguard yourself and your organization online.