Even though World Password Day is over, it's never too late to remind your end-users that weak, unimaginative, and easy-to-guess passwords—like "123456," "qwerty," and, well… "password"—are poor options for securing accounts and devices. With credential phishing and stuffing attacks on the rise—and the fact that countless passwords have already been exposed through data breaches—the need for users to step up password management practices at work and home has never been more urgent.
Research for the "2022 State of the Phish" report from Proofpoint found that only 30% of working adults use a unique password for each account. And those who are reusing passwords across accounts, and probably devices as well, are only increasing the attack surface for their organizations and themselves.
The rapid expansion of remote work during the pandemic has helped bring to light another password management bad habit that is ratcheting up security risks for users and businesses: unsecured Wi-Fi networks. Less than two-thirds (60%) of working adults surveyed for the "2022 State of the Phish" report said their home Wi-Fi network is password-protected. And 34% of respondents reported that they haven't adjusted their Wi-Fi network's security settings because they simply don't know how to.
Improving password best practices matters
Poor password management creates unnecessary risk for your users and your organization. To underscore the potential risk to your business, simply consider that 77% of working adults responding to our survey for the "2022 State of the Phish" report admitted that they use employer-issued electronic devices for personal purposes, such as checking email, reading news stories, shopping online, and viewing and posting on social media channels.
Equipping your users with information and skills that will enable them to become more diligent and vigilant about password management and protection can help your organization significantly reduce the risk of data loss and account compromise. You can prevent attackers from gaining easy access to sensitive data or critical information. And you can stop data breaches from spreading across multiple accounts that share passwords.
As a starting point for improvement, try sharing these best practices of strengthening password hygiene with your users to help them improve their approach to password setting for their devices and accounts. Let's start with the "dos":
- DO use multifactor authentication (MFA); if MFA isn't an option for the account, use a password manager.
- DO change all passwords at least twice a year. (Note: It's best practice to change business passwords more often: every three months.)
- DO increase the complexity and length of each password to create stronger passwords.
And here are a few password management "don'ts" to keep in mind:
- DON'T use easy-to-guess passphrases, such as those that include common words or phrases, or names or dates associated with you or your direct family members. (That includes the names of your pets!) Also, avoid using anniversary dates, birthdays, and other details that many of us post on social media platforms all too often.
- DON'T reuse passwords across multiple systems or accounts.
- DON'T record passwords on paper.
- DON'T share passwords—not with your family, friends, or coworkers.
Help end-users build better security habits
As security professionals, we live and breathe security, so best practices and risks are always top of mind. But our users are different: they need constant reminders and education. We can help them by:
- Providing more frequent training with bite-sized learning content; this approach is much more effective than completing a 30-minute-long training module once a year.
- Communicating why it's important to follow best practices that will help keep the organization—and them—safe.
- Engaging them with security topics that are relevant and making training memorable by tying it to special events, such as tax season, holidays, and Data Privacy Week.
These efforts are well worth the investment because even small behavior changes by end-users, like not writing down a password on a sticky note and adhering it to their computer monitor, can significantly minimize your organization's security risk. After all, research shows that 85% of data breaches involve the human element.
Get started with these helpful resources
Download the "Beyond Awareness Training" e-book from Proofpoint to learn more about how to change user behavior and build a sustainable security culture in your organization.
Also, try our Security Awareness content. Proofpoint provides samples of our most popular training and awareness series here. This content is designed to keep users entertained, engaged, and informed about the latest threats—and help them embrace their role as defenders in your organization.