Password Management: 10 Tips to Break Bad Habits


Password Management: 10 Tips to Break Bad Habits

March 8, 2024

We’re seeing a growing trend towards biometric and passwordless solutions and experts are now predicting that the traditional password will soon become a thing of the past. Evolving cyber threats—hackers, user fatigue, and even turnover—emphasize the need for more seamless and user-friendly methods to strengthen and simplify the login process. With multi-factor authentication (MFA) becoming a standard requirement for most online services, we might already be at the beginning of the end.

But despite advancements in security measures, many, including MFA, still incorporate some version of a password, key code, or key as an authentication factor. So until we eliminate the need for them entirely, passwords are sticking around for the foreseeable future—and they’re more than just a random string of characters. They’re the foundation of our online safety. The password choices we make have real-world consequences for our digital lives and having a weak one is like leaving the door wide open for thieves to stroll in.

Whether it’s through a phishing scam, a credential stuffing attack, or an unsuspecting employee, if hackers manage to crack your code, they’re one step closer to infiltrating your networks and compromising critical data. That’s why it’s critical to have a robust password management strategy across your whole organization as the first line of defence. Keep reading for our top tips to steer clear of the password hall of shame and improve your company’s security posture.


Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.

PRO Tips: What can you do?

1. Develop a solid password policy.


Set clear and comprehensive guidelines and let people know what you expect in terms of password procedures, particularly for those who handle company data. Consider the following:

  • Make sure everyone at the company, including new employees, are aware of your data protection policies. Keep senior management updated so they can lead by example.
  • Change logins as soon as there is evidence of suspicion or compromise, rather than mandating frequent changes every few weeks or months (more on this later).
  • Implement lockout procedures for inactive accounts (i.e. lock out accounts that have failed to login correctly after a few attempts). Tailor the length of the lockout period to the account. For example, higher-risk or privileged accounts should be locked out for longer.
  • Discourage password sharing unless absolutely necessary and stress the importance of maintaining the confidentiality of login information.

2. Establish offboarding protocols.


Employees come and go; that’s a fact of business life. But turnover is more than an HR nightmare or an operational risk—it’s also a major cyber threat. According to a study by passwordless authentication provider Beyond Identity, 83% of former employees still had access to their previous employer’s assets. 56% said they used their access to intentionally harm their employer; this figure jumped to 70% among those who’d been fired.

Be proactive. In addition to onboarding, set up a formal offboarding policy so you’re not scrambling every time someone leaves. Tips include:

  • Have a standardized checklist to tie up loose ends and make sure you’re not skipping steps.
  • Conduct an exit interview to take inventory of what the employee was working on and what files they have access to (i.e. file-sharing services, cloud services, social media, third-party systems, and more).
  • Review data security policies with departing employees and remind them what information they’re not allowed to take or access.
  • Recover and wipe any assets, like laptops, phones, company cards, ID badges, security cards, keys, physical files, and more.
  • Implement a data recovery policy or remote wipe policy for any employees that were allowed to work on personal devices.
  • Remove, disable, delete, or lock down access to the company network and any associated applications, programs, or channels. Block user sign-in if needed. If logins are stored in a shared location like Google Drive or OneDrive, disable access or delete entirely.
  • Process any outstanding fees or reimbursements.
  • Schedule regular audits and survey employees and managers to identify what they have access to, what logins are no longer required, or were issued unintentionally. Revoke access as needed.
  • Time is of the essence. Make sure onboarding procedures are carried out immediately following employee departures.

For more guidance on offboarding security, check out the following resources:


RELATED: What does turnover have to do with business liability?

3. Practice good password hygiene. 


Passwords are only as safe as you make them. Requirements vary by industry so be sure to look up the best practices for your needs and tailor them accordingly. But keep in mind: there are a lot of guidelines out there, and sometimes adding tons of extra requirements can unintentionally contribute to password fatigue and encourage lax behaviour. Provide examples and give users the space to create memorable, but secure passwords. Some of the best tips include:

  • Create complex, unique passwords or passphrases for all systems. Length matters; 88% of passwords used to attack RDP ports in live attacks are 12 characters or less. Why? Longer words and phrases are harder to crack. Passwords should be at least eight characters long, with a mix of characters (i.e. special characters, upper and lowercase letters, numbers, symbols).
  • Avoid words that include personally identifiable information (i.e. a significant other, pet, birthplace, city of residence, name of your company etc) or information that could be garnered from employees’ business or social media accounts.
  • Don’t use the same logins for everything, including between work and personal accounts.
  • Use unique, non-obvious usernames, especially for privileged accounts and any default vendor credentials (i.e. admin, root, user, test, etc.)
  • Avoid popular words or words that appear on breached password lists (i.e. password, 1234, qwerty, welcome, and so on). Even if you incorporate special characters, hackers know employees tend to default to certain base terms and have software to account for predictable patterns; “p@ssw0rd”, “p@ssword”, and “q2w3e4r” also now appear lists of common, easily compromised passwords.
  • Always log out of accounts or devices when finished.


RELATED: The Top 5 Risks to Password Security

4. Implement multi-factor authentication. 


Nowadays, strong credentials aren’t always enough. Even the most indecipherable passwords can be cracked by a determined hacker or leaked in a privacy breach. Enter multi-factor authentication (MFA). MFA is a security measure that requires two or more pieces of evidence, known as an authentication factor, to verify a user’s identity before granting login access. Authentication factors can be:

  1. Something you know, like a password, passphrase, PIN, or security questions.
  2. Something you have, like a token, smartcard, access card, USB key, mobile authenticator app, or SMS text code.
  3. Something you are or biometric identification that is unique to the use, like a fingerprint, retina or face scan, voice recognition, or even the picture on your ID badge.

MFA is considered the new gold standard for password security. In fact, most insurance companies are even mandating it as a minimum requirement for organizations before they can qualify for Cyber Insurance. Why? Combining two or more factors from these categories, like a pin with a USB key or a password and mobile app, adds an extra obstacle to keep cybercriminals from reaching your information.

Even if your login credentials are weak, stolen, leaked, or otherwise exposed, cybercriminals still won’t be able to gain entry unless they have your other information, effectively rendering most phishing and other hacking efforts useless. Plus, most MFA solutions will notify you if there’s an unauthorized login attempt, allowing you to change your password if needed.

To block attacks at multiple access points, deploy MFA across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email accounts, VPNs, and financial accounts.


RELATED: Multi-Factor Authentication: Why Passwords Aren’t Enough

5. Make it easy. 


The more passwords employees have or the more complex the requirements, the harder it is for them to remember. That’s when the bad habits kick in—it’s just too hard to keep track of them all.

While the right option for your company will vary based on your size, operations, and security needs, there are a number of solutions you can consider to ease the burden of memorizing passwords.


a) Password Manager


A password manager operates like a vault by providing you with a secure space to store sensitive information. Once it’s in there, your data is encrypted and protected by a master password that only you know. When you want to log into an account, simply input your master password and then you can access the rest of your credentials hassle-free.

Password managers help centralize login information across business applications and effectively eliminate the need for a “passwords” note on your smartphone or a word doc on your desktop. Codes can be as long or complex as you want; you don’t even need to remember them as long as you know your master credentials. Some managers even offer additional features that allow you to assess password strength, manage user rights, and monitor changes.

Be sure to do your research before officially recommending a password manager to employees or mandating across your organization. Not all solutions have the same level of security. Additionally, they vary in where they store your data—local, browser, or cloud-based—which could inadvertently violate your regulatory requirements.


b) Single Sign-On


Single Sign-On (SSO) creates a single set of login credentials that can be used across multiple applications and platforms. Employees have one master username and password that they use to access every application they need to perform their jobs. Much like MFA, single sign-on is often accompanied by an additional authentication factor, like a web token, passcode, or biometric ID, that combines with your master password to verify your identity.

SSO is effective because it streamlines employee access and cuts down the number of entry points to your system from potentially hundreds of passwords to one. And since employees only have to remember one password, they might be more inclined to use stronger, more complex combinations.


RELATED: The Human Factor: Tackling Insider Threats in Cybersecurity

6. Educate your employees. 


The 2023 Specops Weak Password Report revealed that 83% of compromised credentials meet the length and complexity requirements of regulatory standards. Additionally, the latest edition of Verizon’s annual Data Breach Investigations Report found that 74% of breaches involved the human element, be it social engineering, errors, or misuse. That means even a strong policy can’t make up for user habits.

The bottom line? You can’t assume your employees know everything. New hires aren’t well-versed on your security policies yet and might be susceptible to mistakes, while existing staff might need constant reminders about what’s allowed and what’s not. Most people also underestimate the impact of seemingly careless behaviours like password recycling or sharing.

But if you hope to make a change, everyone at your organization, from new hires to contractors to senior management, should receive regular security awareness training on:

  • What makes a good password;
  • Poor password habits and how to avoid them;
  • How to avoid phishing scams and other cyber threats;
  • How to safely access, use, and store data, including how to use any password platforms (i.e. MFA, a password manager, SSO, etc.)
  • How to spot and report signs of compromised credentials and/or a breach;
  • The impact of a breach and potential consequences for your organization.
  • And more.


Be patient and supportive, encourage questions, and don’t punish your staff for any mistakes. Work to create a safe and positive culture of learning so employees feel comfortable coming to you with concerns and reporting security incidents without fear of judgement or repercussions.


RELATED: Security Awareness Training: What is it, Best Practices, & More

7. Fortify your defences. 


Passwords are crucial, but they’re only a small piece of the cybersecurity puzzle. Bolster your security and support your password management strategy with additional measures. That way, you’ll be in the best position possible to prevent a breach, even if you lose your logins. Consider the following:

  • Install firewalls, anti-virus software, VPNs, and more as needed on all networks and devices to protect your security perimeter.
  • Apply the principle of least privilege and limit access controls across your network to the minimum necessary for employees to perform their duties.
  • Patch all systems, software, and third-party apps with latest updates as soon as they are available.
  • Ensure that sensitive data is encrypted during transmission and storage.
  • Set up an offline backup system that isn’t connected to the internet or any of your local networks to prevent hackers from reaching network backups and increase the chances of data recovery.
  • Routinely re-assess your security measures and scan for vulnerabilities in your network and all provider networks. Address weaknesses where needed.


RELATED: Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?

8. Stay updated. 


Keep current with the latest security recommendations as the cyber landscape shifts. After all, a lot of our conventional password wisdom has been debunked by cybercriminals and changed over time.

Case in point: once upon a time, popular advice had us changing our passwords at set intervals to increase security. But turns out, forcing users to change their passwords all the time is actually riskier since folks might get lazy and just modify things slightly or default to a weak, easy-to-guess password. Now, experts only recommend resetting logins once there’s suspicion or evidence of a leak.

Remember, no practices are 100% foolproof. And as we get more information, security recommendations will continue to evolve—we might even ditch passwords completely. But if you’re proactive and vigilant, you can keep up with the times, stay ahead of hackers, and decrease your odds of a breach. Be sure to revisit your password management—and your security protocols overall—regularly and revise as needed, especially if a breach takes place.

9. Set up an incident response plan. 


Develop or amend incident response and business continuity plans ready to go in case of compromise, like if a password is leaked or if a laptop is stolen. Plans should include measures for identifying, containing, mitigating, and recovering from security incidents. Establish a dedicated team to handle cybersecurity incidents at your organization (or loop in a third-party) and consult with IT, legal, and even your communications team to set up next steps.

The exact steps of your plan will vary depending on the nature of the breach, but you should include measures for resetting logins for both employees and clients (i.e. a password reset directive) and disclosure or notification protocols for affected parties.

10. Consider Cyber Insurance. 


For maximum protection, consider Cyber Insurance. Your general liability policies won’t cover a breach, but a dedicated cyber policy can help offset some of the potential financial loss following a breach, cyberattack, or network security issue, like if your company’s information is stolen by a hacker, or accidentally released by an employee. Coverage highlights include:

  • Legal fees, damages, and defence costs;
  • A specialized data forensics team to investigate the cause of the breach;
  • A legal breach coach to advise you on response and regulatory compliance;
  • Client notification and credit monitoring for affected parties;
  • PR consulting services to manage reputational harm;
  • And more.


Remember, Cyber Insurance isn’t a replacement for password security. You still need a robust cyber management strategy, among other protections, preventative measures to reduce the risk of a breach. But in case your logins are compromised anyway, insurance will provide you with the resources and support you need to get your business back online and regain your clients’ trust.


RELATED: All About Cyber Insurance: What is it, What’s Covered, and Why Do You Need it?

Is it worth it?


We know, it sounds tedious—and costly—to come up with a whole strategy just for logging into a few accounts. But if your organization suffers a breach, the cost of recovering from an attack will be significantly higher. And remember, it only takes one employee, one login, and one password, to have a cascading impact on your organization forever.

Even worse? Insurance companies are cracking down on baseline cybersecurity controls, like password security and multi-factor authentication, for organizations before they can obtain Cyber Insurance. Without MFA, you won’t be able to rely on Cyber Insurance to cover your losses in the event of a breach, leaving yourself exposed to potentially hundreds of thousands in remediation costs.

That’s why passwords are vital to your cyber risk management strategy. They won’t just reduce the risk of compromised credentials; it’ll improve your overall security posture, ensure you remain in good standing with your insurance company, and help you mitigate the financial, legal, and reputational consequences of a privacy breach.


RELATED: Why is it so hard to get Cyber Insurance?

How can we help you?


For more guidance on cyber risk management, connect with PROLINK. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can help you plan, protect, and become resilient in the face of attack. Our dedicated team of risk advisors will:

  • Identify exposures based on your business operations and unique needs;
  • Share what steps others in your industry are taking and advise you accordingly;
  • Outline a proactive approach to risk management to control your costs long-term;
  • Conduct a robust assessment of your existing insurance policies to detect any coverage gaps; and
  • Align you with specialized Cyber Insurance and risk management solutions, tailor-made for strategic objectives and budget.


To learn about your exposures and how you can protect yourself, visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance.

PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.

    Personal InsuranceCommercial EnterpriseAssociations & Affinity GroupsLife & Benefits

      Personal InsuranceCommercial EnterpriseAssociations & Affinity GroupsLife & Benefits

      Generic filters
      Exact matches only