Security awareness

Lock It Down: Password Security Do’s and Don’ts

Susan Morrow
April 17, 2019 by
Susan Morrow

Introduction to Passwords

The first computer password was introduced for use at MIT in 1961. Of course, this isn’t human beings’ first dalliance with the idea of a password, but this isn’t a history lesson. What this means is that the pesky password is here to stay for a while. But a password is often the weakest link in a security chain. We both love and loathe our passwords, and our obsession and reliance on them show in some shocking usage statistics.

The fact is, passwords are handy. From a computer programming perspective, they can be a pretty easy way to add an access control method (assuming you take care of the security). From a user perspective, they are neat — you only need your memory and a way to input the characters into a computer interface.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Learn about breaking passwords

Discover key forensics concepts and best practices related to passwords and encryption. This skills course covers:

⇒ Breaking password security

⇒ Breaking windows passwords

⇒ Two-factor authentication

Start your free trial

The Password Conundrum

In recent years, the way humans use passwords and advice given by bodies such as the National Institute of Standards and Technology (NIST) has given rise to conflicting views on how best to implement the use of passwords. For example, five years ago, it was common practice to force the use of specific character types, case type and special characters when choosing a password. You’ll remember the prompts at password setup:

Must Include:

  • 1 upper case letter
  • 1 lower case letter
  • A number
  • A special character %!&

Although we still see these types of policies applied, those days of stringent password creation control are gone. In their Special Publication 800-63B, NIST now strongly suggests that you do not force password policies at all. This is sensible if you think about. If a hacker is looking at using a brute-force attack against a system, showing them the requirements of that system is like handing them a template to a key. As we have learned over the years, robust passwords are more than a combination of characters.

Many of us still continue to use poor passwords. SplashData compiles a “most popular passwords of the year” list. In 2018, as in previous years, “123456” and “password” remain the top two most used passwords.

We are now learning how to walk the password walk. Through experience, an understanding of human behavior and hacker techniques, we are now able to determine what will and won’t work in terms of password strength.

Strong and robust passwords are one thing, but password hygiene is a much bigger picture than the strength of a password. The harder a password is to remember, the more likely a person is to write it down on a piece of paper. In a study by Pew Research, they found that 49 percent of us write our passwords down on paper. Worse still, many of us share our passwords willingly. In a survey, 25 percent of IT Professionals admitted to sharing work passwords with colleagues.

Passwords, then, have become a bit of an Achilles heel. Passwords may be a simple way to control access to something, but they come at a price. We have to learn how to make all of these variables fit together. This includes the way we behave, the strength of the password and any technological augmentation available.

6 Password Do’s

1.  Remove the guesswork

    • Why: The case of the German student hacker who hacked the accounts of almost 1,000 politicians and celebrities and then released personal data onto Twitter demonstrates this well. The hacker used easily guessable passwords like “Iloveyou” to hack into the accounts
    • How: Use passwords that are not easy to guess. Try putting a phrase together made up of four random words. Then visualize it to help remember it

2.  Make it relevant to you

  • Why: Memorizing passwords means you are less likely to write them down. This removes a security gap
  • How: Visualize your password, e.g., guitar oxygen dog black — a black dog playing a guitar while wearing an oxygen mask

3.  Try a password manager

  • Why:
    1. They facilitate robust and varying passwords
    2. Help prevent phishing by recognizing spoof websites
    3. Create new passwords on your behalf
    4. Offer device sync of passwords
  • How: There are many password managers on the market, including free versions. It is a case of testing them out to find the one that suits you best

4.  Check the HaveIBeenPwned password checker

  • Why: Of the billion data records stolen, only 4% of them were encrypted. Password theft is behind 81 percent of breaches, according to Verizon’s Data Breach Investigation Report (DBIR). Juniper Research expects the level of data theft to rise by 175 percent to 2023. Javelin Strategy & Research have found that identity theft is on the rise, with 16.7 million U.S. citizens becoming victims of ID theft in 2017
  • How: This online tool allows you to check if your password has been stolen in a data breach. If it has, change it and do not use it again

5.  Turn on a second factor credential if available

  • Why: A second factor (also called multi-factor authentication) is another login credential used after you have entered a password. For example, a second factor might be a one-time code received on a mobile app or three letters of a passphrase or a biometric. Using a second factor adds an extra layer to help improve security
  • How: The use of additional factors for login are increasing. Popular online apps like PayPal and Gmail now support this extra factor. Enterprise apps like Office 365 and Dropbox also support multi-factor authentication

6.  Change default passwords

  • Why: When the Mirai botnet attack on the Dyn Web servers happened in 2016, it took down many Internet sites. The hackers hijacked IoT devices using default and easily-guessable passwords. Always change default passwords on IoT and other devices like routers!
  • How: Use the device or router setup instructions. They should tell you what the default password is and how to update it


Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

6 Password Don’ts

1.  If you must share passwords, do it safely

  • Why: Password-sharing is common practice. Research by Flashpoint found thousands of passwords shared in open Trello boards. We share passwords because it is just sometimes easier than logging in yourself to perform a task. But sharing passwords is very poor password hygiene. Even sharing with people you can trust is not a good idea
  • How: Keep your passwords to yourself. Never post passwords to any Cloud or other repositories, even if that repository is an internal resource. Also make sure that passwords in, for example, software configuration files are obfuscated or removed. If you must share passwords, do so using a password manager safe sharing facility

2.  “p@ssw0rd" is not more secure than "password”

  • Why: Cybercriminals love the obvious because it saves them work. Hackers also keep actively updated lists of commonly-used passwords and passphrases. The Collection #1 breach is the latest in a long line of breaches where passwords have wound up on the Dark Web for sale. The breach released around 22.2 million unique passwords into the hands of hackers
  • How: Avoid things like your name, song titles or the names of TV shows. Passwords like QWERTY and password1 are popular and well-known. If you use a password manager, it will help by suggesting a unique password. Don’t reuse passwords

3.  Avoid using browsers to create and manage passwords

  • Why: Browser-based password generators are convenient. They suggest a unique password when you sign up for an online account. However, they also come with some inherent issues:
    1. Most do not sync with other devices. Chrome, however, can sync with Android phones
    2. They are insecure, unless you have robust security to the device itself
  • How: Avoid browser-based password managers unless you are absolutely sure your computer cannot be used by another person

4.  Never lose sight of what you are protecting

  • Why: Every account you create will likely contain some form of personal data. Even small amounts of personal data may be enough to commit fraud in your name. According to Experian’s Global Fraud and Identity Report 2018, 65 percent of businesses are experiencing the same or greater levels of fraud
  • How: Make every password you use, unique and robust according to our “Password Do’s” list

5.  Post-it notes are not for passwords

  • Why: This action is usually a MUST NOT in your company's security policy document. This is because it is a very insecure way to remember a password
  • How: If you must write a password down for whatever reason, write your username with a good hint next to it instead of the actual password

6.  Never leave accounts vulnerable

  • Why: If an account has been hacked or breached, assume the worst and change the password as soon as you know about it
  • How: Use your account password reset/account recovery process



  1.  NIST Special Publication 800-63B, NIST
  2. SplashData’s Top 100 Worst Passwords of 2018, TeamsID
  3. How Prolific is Password Sharing?, IS Decisions
  4. German Man Confesses to Hacking Politicians’ Data, Officials Say, The New York Times
  5. Have I Been Pwned Password Checker, Have I Been Pwned
  6. 2018 Data Breach Investigations Report, Verizon
  7. Data Theft to Jump 175 Percent by 2023: Juniper Research, FindBiometrics
  8. Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, According to New Javelin Strategy & Research Study, Javelin
  9. Further Down the Trello Rabbit Hole, Krebs on Security
  10. The 773 Million Record "Collection #1" Data Breach, Troy Hunt
  11. The 2018 Global Fraud and Identity Report, Experian
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.