The two biggest mistakes that people make when it comes to passwords are not using “passphrases” and reusing them across multiple accounts.
Over the last decade and more, password requirements have increasingly stressed the need for complexity as a means of providing critical security to organizations. However, it is easy to crack a password when complexity formulas are commonly known, and the standard keyboard layout encourages the use of the same ranges of numbers and special characters.
Social engineering also becomes problematic if an intruder can determine likely sources or references for your password. Additionally, overly complicated passwords lead to forgetful employees in need of regular reset assistance from your help desk.
Instead, use a full phrase that’s easy to remember. This could be a quote, song lyric, or any other string of words. Not counting special characters, consider that an intruder has a one in 26 chance of determining the correct letter of the alphabet further multiplied by the length of the phrase.
It’s both easier to remember and more difficult to crack a passphrase such as “Youtookthewordsrightoutofmymouth,itmustofbeenwhileyouwerekissingme.” That string contains a capital letter, two punctuation marks and 67 individual characters.
Reusing passwords across multiple accounts also so an incredibly risky practice. If one account becomes compromised, so are the rest—end of the story. If users share them between business and personal accounts, the compromising of one spills over to include all the others.
Your organization could have the best IT security in the world and still be entirely undermined by password reuse on accounts otherwise altogether separate from work resources.
The best way to keep track of all these passwords is to use a single sign-on or a password manager. These require an initial login with a username and password (ideally, a strong passphrase).
Once authenticate your identity, the solution manages all of the other passwords for your resources. These should be completely randomized credentials obfuscated from the user so that not even they can accidentally compromise their own accounts.