Skip to main content
Security Scorecard

How to Ensure Password Hygiene at Your Organization

Posted on July 6th, 2021

In a SecureAuth survey, 62% of respondents claimed to use the same password across three to seven different accounts. It begs the question: If passwords play an integral role in cybersecurity performance, why are people so remiss when it comes to practicing good password hygiene?

Practicing good password hygiene is a security measure that organizations must take to protect against cyber threats. With concerns rising over data breaches, organizations must teach employees to take the necessary password protection measures to avoid attacks and compliance headaches.

Let’s take a look at the best practices organizations can use to establish robust password hygiene and how to monitor for potential password vulnerabilities.

What is password hygiene?

Password hygiene is the practice of ensuring passwords are unique, difficult to guess, and hard to crack. It is the set of guidelines and principles that, when leveraged correctly, help keep your passwords protected from cybercriminals.

Good password hygiene best practices include selecting tough passwords, selecting a unique password for each account, avoiding the temptation to choose passwords that are easy to recall or guess, and keeping personal passwords private.

How do passwords get stolen?

According to Google, 4 out of 10 Americans have had their online personal data compromised. Of those, 47 percent have lost money as a result. Practicing good online habits now can protect you and your business from financial loss and security breaches in the future. Let’s take a look at the common methods someone could use to steal your password:


If your password is simple and obvious, someone might be able to guess it right off the bat. An example of an obvious password is “12345” or “abc123”.

In addition, if your password is connected to you personally, then someone who knows you may be able to figure it out. Studies show that 59 percent of U.S. adults have incorporated a name or birthday into their password, so if you share this information on social media, then someone that follows you may be able to guess your passwords using details from your profile.

Brute force

A brute-force attack happens when a computer program promptly runs through every possible password combination until it figures out the correct password. If your password is simple, a software program specifically designed to hack passwords will likely be able to confirm the correct password in a matter of minutes.

Fortunately, the more characters your password contains, the harder it is to crack. A long password with a mix of uppercase and lowercase letters, symbols, and numbers is inherently more secure than a short one.

Social engineering

Social engineering is the practice of manipulating people to give up their confidential information.

An example would be an email that contains an urgent message claiming to come from a bank or similar entity. To lure you into clicking the compromised link, the email can ask you to verify your password due to suspicious activity on your account. Once you click on the link and enter your password, you’ve unknowingly just handed your credentials over to the hacker.

Data breaches

If a website experiences a data breach, your personal information is at risk of being leaked into the online world. In the event that you find your information was compromised in a security breach, your password should be changed immediately. It is important to remember that if you use the same password on other websites, cybercriminals may be using it to log into other accounts. This is why it’s imperative that you use a unique password for every website.

Five best practices for password hygiene

When you consistently incorporate a few password security best practices into your online routine, you can dramatically reduce the risk that your accounts will be compromised. Now that you understand the consequences of poor password hygiene, here are five best practices that you can implement moving forward:

1. Use two-factor authentication

Two-factor authentication requires an additional step before the user logs into the account. Typically, the user receives a one-time password via phone or email to ensure that only the right people can access the account.

Most websites let users override two-factor authentication for trusted devices for convenience, but it’s not good in terms of security. When you override two-factor authentication, you’re allowing your accounts to be vulnerable to hackers.

2. Avoid reusing passwords

Using the same passwords for several accounts may be convenient, but you’re making it easier for cybercriminals to gain access to multiple accounts, should they be able to break into one account.

Even if you have a strong password, it is important to use a different one for every account you use.

3. Protect your password list

People tend to keep their list of passwords in one place. It is important to keep your password list secure so that it can’t be easily found by others, and to hide any physical record that contains your credentials.

4. Do not mix personal and work emails

It's important not to use a single email account for business and personal correspondence. This can result in a massive data loss when a cybercriminal cracks your password and gains access to your email account.

Instead, you should create an email account to consolidate your work communications and a separate personal account for communication with friends and family.

5. Leverage a password manager

A password manager helps you generate strong passwords and store them all in one encrypted place. You only need to remember one password to access your password manager.

Are they secure and useful? The answer is complicated because password managers aren’t foolproof. Password managers serve as an amazing organizational tool, enabling you to practice better password hygiene. However, if someone gains access to your password manager account, they have access to all of your passwords.

How SecurityScorecard helps keep you protected

Keeping your devices and passwords secured will help you avoid being a target of malicious cyber attacks. Cybercriminals are more likely to move on to their next target when the password is difficult to crack.

You can also leverage SecurityScorecard’s security ratings platform to get a holistic view of your organization’s security posture. Our platform continuously monitors your entire IT ecosystem to detect any security vulnerabilities that need immediate attention. Our easy-to-read A-F rating scale gives you visibility into your cybersecurity controls’ effectiveness. With our platform, you can easily monitor your cyber hygiene and identify threats more proactively, some of which may be caused by poor password practices.

Return to Blog
Join us in making the world a safer place.