Passwords are still the most common authentication method used online, even with the introduction of new login methods, such as passkeys, biometrics and token-based authentication.

Passwords are one of the oldest forms of authentication and are becoming increasingly easy to hack. On average, it takes a hacker 2 seconds to crack a password that has 11 characters.

Even with many new and more secure authentication methods available, most organisations still rely on passwords to some extent. In fact, it’s estimated that there are nearly 300 billion passwords in use, this means that there are about 38.4 passwords for every internet user.

Let’s take a look at how you and your employees can create a good password or passphrases and what password protection best practices you need to follow.

Here’s how you can make a strong password:

Make every password unique

According to a survey conducted back in 2020, 53% of people reuse the same password for multiple accounts. This is a risky practice—if a hacker figures out their password, they can access all of the accounts they reused the password in.

To prevent this from happening, you need to create unique passwords for all your accounts.  

The more times a password is used, the weaker it becomes

One thing you shouldn’t do is use personal information, like your birthday or place of birth or a pet’s name - or anything related to your organisation as this type of information is very easy for a bad actor to figure out, especially if they’ve done some research on you.

Use a mix of letters and numbers based on something only you know personally, for example, the name of a favourite song mixed with the date a certain company event took place. Make unique passwords for each of your accounts based on a theme like this.

Use the Bruce Schneier Method for Passphrases

The Bruce Schneier method is an easy way to make strong passwords that you can remember easily. It involves taking a sentence, either random or something personal that means something to you and transforming it into a password using a particular rule.

For instance, the rule can be to use only the first two letters of each word in the sentence.

Here’s an example:  

Pepperoni Pizza Is The Best can be written as PePiisThBe

To any other person, PePiisThBe sound completely meaningless, but you know exactly what it means. Add in a few symbols and emoticons and these passwords are nearly impossible to guess.

PePiisThBe becomes PePi_isTh2Be?

Just to be on the safe side, avoid using popular catch phrases or slogans from your organisation as these may be easy to figure out because many people are familiar with them. If you’re unsure where to start with converting a passphrase to a password, see our passphrase tip sheet.

Best practices for password management

Just making a strong password won’t be enough; you’ll need to learn to manage your passwords carefully.

Here’s how:

Use multi-factor authentication methods

Integrate a multi-factor authentication system into your organisation’s apps, network and devices so that employees will require more than just a password to access data.

Change passwords whenever an employee leaves the organisation

Employees who leave the organisation leave knowing passwords, which could pose a risk to your company. As a precaution, all passwords should be changed after an employee resigns. Better yet, have a role-based access system and simply deactivate their account so none of their access passwords are on the server.

A good password can make all the difference

Passwords may feel old-fashioned, but they still play a major role in keeping an organisation's information safe from cyber criminals. With strong, cleverly worded passwords, you and your employees can reduce the risk of data breaches and save your organisation from substantial losses.

Thinking about upgrading your security to get rid of passwords altogether? Read CyberCX’s blog post about passkeys and the added benefits to security.  

Phriendly Phishing’s course catalogue includes specific training courses on passwords and passphrase security.

Request a demo of our cyber security awareness training platform and start the year off knowing your organisation and your people are secure and protected.