Passwords Are a Pain – But They Are Critical to IT Security

Get some tips and tricks on how to improve your password policy.

A person typing his password on a laptopThere are two types of employees when it comes to IT security: High-risk and minimal-risk employees. The only difference between the two is that the minimal-risk employees have been properly trained to spot possible security threats, have a sense for what unsafe behavior may look like and are proactive in protecting themselves and their organization.

Ideally, the minimal-risk employee is the most desirable end goal when it comes to password security. Not only do these employees understand what a phishing attempt is, they are knowledgeable enough to spot a phishing email, accurately report it and communicate additional security concerns they may have. Minimal-risk employees effectively become security advocates for the entire organization.

So how do you move from moderate to high-risk employees to minimal-risk employees? That’s where proactive end user security training comes in. In this article, we'll help you more effectively train your employees in IT security.

Creating IT Security Advocates

Before moving forward, it is important to note that the only way to potentially secure a network in today’s threat landscape is to close it off to outside traffic, and that still can’t completely protect it. While removing your network from the internet can be a more secure avenue to combat issues with malicious actors accessing the network, it will not  work for anyone trying to communicate outside of it.

The whole point of the internet is for it to be an open network. Therefore, we must accept that vigilance is, in fact, excellence. Your network will never be bulletproof, but the more advocates you create internally for your IT security, the more your risk exposure goes down.

Application isolation is a new trend in cybersecurity that continues to grow, and the simple idea is that you are segmenting your apps away from one another. This is counterintuitive to the API marketplace phenomenon happening concurrently, which is driving a lot of software-as-a-service (SaaS) purchasing. Most organizations are not forward thinking or strict enough to practice application isolation or closed networks, so there has to be a compromise.

Threat actors have the benefit of being able to pick and choose what and whom they target, but at the same time, they notoriously aim for the low-hanging fruit of consumers and organizations. Hackers are looking for the least trained, lowest common denominator when it comes to end users. This is also why social engineering and phishing attacks can do more damage than meets the eye.

Malware attacks are so simplistic nowadays that they are almost designed like random acts of malicious intent with many just innocent bystanders who get caught up in widespread campaigns. Cybercriminals may not even be targeting you or your organization specifically – they are focused on just executing their attacks and anticipating someone will get caught in the crossfire.

If you follow these rules, malicious actors will likely get discouraged and move on to an easier target. This is where you ensure that you do not fall victim to stray malware!

Password Strength and Reset

We all hate resetting our passwords every 30 to 60 days. As soon as you start to remember your password by heart, you end up having to reset it. This is where secure password managers can help you safeguard and remember your passwords successfully.

If you’re one of those IT shops that has decided the annoyance of a reset is not worth the result, I have news for you: You’re next.

You can’t afford to not change your password on key systems every three months. It would be like moving into a new house and keeping all the same locks as the previous owner. So, what needs to be reset every 60 to 90 days ?

Passwords to reset every three months:

  • Operating Systems: All of your systems have a local login account in addition to your network login. You need to ensure these passwords are also changed, for both Windows and Apple-based systems.
  • Network Login: Obvious and easy to automate – make sure every single user is doing it.
  • Email/Office 365: Once again, easy to automate and can tie into your network login refresh.
  • Hardware: Especially network switches, routers and firewalls. Many IT admins leave the default “admin” username and the passwords on their routers and firewalls. This is the easiest and most common way for a threat actor to get behind your IP address and start poking around.
  • Cloud Based Applications: If you are using cloud applications that don’t offer single sign-on (SSO) that use your network login credentials, they need to be changed also.

In addition to resetting passwords, make sure you are on the latest update of your firmware for routers and firewalls. More threat actors are exposing vulnerabilities in firmware than ever before because while cybersecurity has grown over the past few years, your routers may have been set up before we knew what a distributed denial of service (DDoS) attack or ransomware was. Ensure you are addressing legacy systems as a part of your password reset policies.

Password Do’s and Don’ts for Everyone to Follow

It’s essential not to make exceptions for anyone on your staff to opt-out of your password policy, this even includes your executive team. While executives may complain about password resets more than any other group at your organization, they are also the most frequently targeted group for attacks. The same can be said about you financial employees as well.

Avoid using the following in your passwords:

  • Address (home and office)
  • Date of birth
  • Phone number
  • Personal, child or spouse birthday
  • Anything about you posted on social media as an interest, including sports teams, hobbies, cars, etc.

Avoid using common phrases in your passwords as well, such as:

  • ILoveYou
  • Usernames
  • Qwerty (in any form without special characters)
  • Superman
  • Batman
  • Sunshine
  • Admin
  • Welcome
  • Princess
  • Football
  • Baseball
  • Sports teams, like Liverpool or Manchester in the United Kingdom or Cowboys or Lakers in the United States
  • Swear words – are more commonly used than one may think

While each password requirement depends on the website admin or organization’s policy, it’s more valuable to use longer and more complex passwords.

Here are three main components in your passwords to incorporate for stronger password security:

  • Characters (upper and lowercase letters)
  • Numbers
  • Special characters (!@#$%^&*)

The strongest passwords will have a combination of the following characteristics:

  • Long: The longer the password, the harder to crack. While your account may only require 6 to 9 characters, expanding to 12, 16 or more will give you a stronger password.
  • Not in the dictionary: Avoid single words or common phrases that can be found in the dictionary or vernacular.
  • Character substitutions: Substituting characters for letters is good practice, but you want to think outside of the box. Don’t substitute zero for the letter O and assume you are safe. A better option would be using the ampersand (&) for O.
  • Illogical phrases: While you wouldn’t want to use a common phrase like “ThankYouVeryMuch,” you could string together completely random words like “ThankCheeseBoatsNetwork.”
  • Acronyms and abbreviations: Instead of spelling out words, abbreviate them or replace phrases with acronyms that you can remember. Using the example above, “ThankYouVeryMuch” could become “TkYVreM.” Of course, you would add more to it so it’s longer and has a variety of characters.

The Most Common Passwords

Just for fun, here’s a list of the most common passwords in the United States, courtesy of the National Cyber Security Center’s global breach analysis. You can share this with  your staff and encourage them to refrain from using these phrases and keywords. Additionally, if you’re currently using a common password or similar combinations below, we recommend changing them quickly.

  • 123456
  • 123456789
  • Qwerty
  • Password
  • 111111
  • 12345678
  • Abc123
  • 1234567
  • Password1
  • 12345

Pro Tips for Password Security

Here’s a few extra tips to make sure your password policy is the best it can be:

  • Set your password policy to require resets at a minimum of every 90 days based on the guidelines recommended above.
  • Set your password policy to prohibit password reuse, you don’t want people cycling through a list of passwords.
  • Ensure all solutions enforce periodic password resets and support multi-factor authentication (MFA). If your systems support MFA then implement it, even for your network login.


CompTIA is here to support you throughout your IT career. Get free resources, career advice, and special offers on CompTIA training and certifications!

Email us at [email protected] for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment