Password Management Best Practices

Passwords serve as gatekeepers to protect sensitive data for your business, safeguarding confidential information about you, your company and your employees.

But as hackers have become better at stealing valid passwords as a way to access and navigate private systems, securing these credentials has become a primary risk management priority for business owners today. Here's what you need to know about using passwords to keep company data safe.

The risks of compromising data

Compromised passwords can lead to significant long-term losses for a business, ranging from monetary to reputational damage. Hackers often use phishing, social engineering and other tactics to access and then sell stolen passwords on the dark web. They also steal passwords to plan additional cyberattacks within a business or employ credential stuffing, where they use stolen credentials from one data breach to attempt to log in to unrelated services.

With all of these risks, many businesses today still remain behind in creating safe, strong passwords. According to Security.org's Password Manager Industry Report and Market Outlook for 2024, almost half of online account holders today rely on memory to keep track of their passwords, while 25% save them in unencrypted files on accessible devices.

This noted gap in password safety makes it essential to have a thorough cybersecurity plan for your business—one that includes best practices for password safety.

Password management best practices

As part of your business's cybersecurity plan, regularly educate staff on the current best practices in password safety.

• Create passwords that are at least 12 characters long, or longer for increased security.
• Use a mix of letters, numbers and symbols.
• Add both uppercase and lowercase letters.
• Replace familiar words with seemingly incoherent passphrases.
• Change passwords every 90 days.
• Choose a unique password for each individual account.
• Test password strength using a third-party tool.
• Answer security questions vaguely, omitting easy-to-find family members' names whenever possible.
• Keep passwords to yourself.
• Secure your phone with biometric identification or a strong passcode.

After creating or modifying unique passwords for each of your business accounts, don't write them down in a place where others can find them or allow web browsers to save them, especially on work-issued equipment.

You might also consider a companywide password manager, a strategy used by an estimated 1 out of every 3 Americans—or about 79 million people. A password manager creates randomly generated passwords for all of your accounts, which you then access using a single password. If you choose to use a business password manager, just remember to create a strong primary password.

You may also want to implement multifactor authentication as another layer of protection against phishing attacks. This method includes at least one extra step to access an account, whether it's through a push notification or biometric identification.

As part of your overall business strategy, it's also important that your IT teams employ password safety best practices and communicate them across the organization. This includes:

• Setting low limits on incorrect login attempts
• Allowing for longer password lengths of at least 12 characters
• Enabling password encryption
• Using multifactor authentication
• Ensuring that all antivirus software and antimalware are up to date
• Changing business-related account passwords after an employee has left the company
• Conducting periodic password audits

The bottom line

While no password practice is failproof, using as many of these strategies as possible makes it more difficult for someone to access your business accounts. Hackers are out there, and the best approach to take is a defensive one.