Pa$sw0rds! Best Practices to Protect Your Business Assets

Password quality and strength is critical for businesses to protect sensitive or private information. While many organizations have made progress in their password requirements and policies, hackers continue to gain access to restricted data and accounts due to weak passwords.

Consider the following statistic: according to password management service SplashData, approximately three percent of internet users in North America and Western Europe used the password “123456” in 2018, which was based on five million hacked passwords found for sale on the dark web. This means that 25 million of the 750 million internet users in those regions who use “123456” as their password are at risk for criminal actions against their related accounts1. Stolen or compromised login credentials could provide hackers and other cybercriminals with unauthorized access to sensitive information, which can greatly compromise an organization’s network and valuable data.

What can end users do to create stronger passwords, as well as protect themselves and their organization from cybersecurity threats?

Best Practices for End Users

To improve security for your accounts and data, consider these best practices for end users:

  • Never reuse passwords across multiple accounts, platforms, systems or software. A common mistake is using the same password for work and personal accounts. Hackers take advantage of password commonality when targeting an organization, making it easier to crack passwords from other accounts and sell password hashes on the dark web.
  • Increase the length and complexity of the password. A password that is at least 15 characters in length is a best practice and will keep you secure for almost every type of password hash being used by applications and network devices. Use a variety of uppercase and lowercase letters, numbers and symbols to increase complexity. The longer the password, the harder it is to crack, so consider adding more than the recommended 15 characters to your password.
  • Your username should never be part of your password. This will increase the likelihood of your accounts becoming compromised.
  • Avoid dictionary words, the word “password” or any adjacent keyboard combinations, such as “123456” or “QWERTY.” Unfortunately, this is common practice, as evidenced by the previously mentioned statistic.
  • Never include personal information in your password. This includes your date of birth, Social Security number, phone numbers or any of the preceding from family members, such as your spouse or children’s birthdays.
  • Consider using a password manager program to store passwords. These programs allow end users to create the strongest allowed password by complexity and length for each individual login. Since end users would no longer need to remember passwords for every account, the program will prevent the reuse of passwords (password commonality) by end users across all logins. A password manager stores them all in an encrypted database and will perform an autologin for the end user when accessing their logins via a web browser on their phones and workstations. End users only need to remember one master password for the password manager, which controls the passwords for every account. There are several vendors on the market that provide this service for a small monthly fee; we recommend reaching out to your organization’s administrators to determine if this service is provided.
Best Practices for Administration

An organization’s IT administration also can engage in some password best practices:

  • Engage end users in password protection and cybersecurity training. Educate the organization’s end users on the password policy and enforce minimum standards for all passwords, including length, complexity and age.
  • Require and enable multi-factor authentication (MFA). MFA can help prevent hackers from leveraging stolen login credentials and passwords. MFA is a great tool for web-based applications and password resets.
  • Consider a password blacklist for the organization. A password blacklist contains disallowed passwords that may qualify as too common or that have been compromised previously. The password blacklist should be comprehensive and updated regularly, which can be achieved with the help of a third-party password blacklisting service2.
  • Establish login parameter thresholds. Consider a threshold of 10 or fewer invalid login attempts from end users, as well as at least a 15-minute time period before the account password can be reset.
  • Maintain password history. Keeping track of end users’ password histories can prevent the reuse of a password within a certain timeframe.

Committing to a strong policy for passwords can strengthen the security of your organization and its end users and protect both from cybercriminal activity.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG’s IT Advisory services, visit


  1. Edelstein, Howard. “The Problem with Your Password? Everything.” Infosecurity Magazine, February 25, 2019.
  2. Bowen, Karen. “Protect Your Organization Against Password Spraying.” Infosecurity Magazine. July 19, 2019.
If you experience issues with this form, please use a different web browser or contact us at


Douglas Jambor, CISSP, ISFCE, CCE
Senior Manager, DHG IT Advisory

© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.