How to Encourage Your Team to use Stronger Passwords

If you work in any sort of IT/cyber security role, you know it’s imperative to be concerned with hacking. It’s scary out there, especially with increasing reports of organized cyber-criminals going after any sized company, not just the bigger players.

As important as it is to create strong firewalls and defend against external threats, one of a company’s biggest vulnerabilities can come from an internal source: employees utilizing poor passwords.

‘Password fatigue’ is the term that describes how, if given the opportunity, people tend to use the same password or deliberately choose something weak and easy to remember. From bank logins to the grocery store, it can be tiresome to continually create unique ones.

A recent survey showed that common employee passwords include: “qwerty,” “password” “name1” “business1” or “123456.” This is similar to SplashData’s annual overall list of bad passwords, which seems to show that people aren’t necessarily more professional or security-conscious at work than at home.  

So what should security personnel do to make sure employees follow safety protocols but not necessarily force them to create something overly complex?

• Think outside the box. Current security research, including recommendations by longtime security expert Bill Burr, says we should get away from longer strings of different-case letters, numbers, and symbols. Hackers are learning ways around these with programs that look for all the spelling variations of a word. Instead, Burr suggests switching to a series of shorter, properly spelled words that, when combined, may be more difficult to figure out.

• Two-factor authentication. This technique, used by many commercial sites for things like user password creation or replacement, texts or emails a temporary code so they can access their account. It can be easily adapted to a workplace and employees can receive a new random code each day to access the system. They’ll still need their login but the random text will make things more secure – and they don’t have to create something new or memorize something especially complex.

• Password managers. Software or plug-ins that store and remember passwords can seem like a weak spot, especially in a large organization with employees who barely can create decent passwords. However, many programs today can filter out weak passwords or randomly generate stronger ones that the employee may not have chosen on their own.