By Takanori Nishiyama, SVP, APAC and Japan Country Manager, Keeper Security
While cyber hygiene is becoming more recognized by individuals and businesses alike, especially with the drive by governments, financial institutions, and utility service providers to either enforce password security or multi-factor authentication (MFA), there are still gaps that can help strengthen the security posture further.
For example, weak passwords at the workplace can pose significant security risks. According to Keeper Security’s Password Management Report, 34% of users reuse variations of strong passwords, which leaves systems vulnerable. While particular passwords can be deemed “strong”, the practice of reusing such passwords across multiple accounts, even if slight modifications are made, can compromise the overall security posture.
It is recommended that employees develop more stringent habits to improve their password hygiene and minimize human error. Some password management best practices for employees include using unique passwords, leveraging password managers and enabling Multi-Factor Authentication (MFA) methods when available.
Here are 8 tips to having a more security password security posture:
1. Use strong, unique passwords for every account
Use strong, unique passwords for every account to protect sensitive information. Reusing passwords increases the risk of a security breach. If even one account is compromised, cybercriminals can use the same login credentials across multiple systems, potentially gaining access to work emails, cloud storage or internal tools.
Employees should avoid simple passwords like “password123” or number sequences. Cybercriminals now use Artificial Intelligence (AI) tools and brute-force automated attacks to crack weak passwords easily. A strong password should be at least 16 characters long with a combination of uppercase and lowercase letters, numbers and symbols. For help creating strong and unique passwords, employees can rely on a password manager with a built-in password generator. These tools eliminate the need for employees to memorize or write down login credentials, reducing the risk of human error.
2. Use passkeys when available as an option
You may have noticed that many apps now request that passkeys be setup, from mail accounts to online services. This is a security feature that many tech vendors are moving to. Employees should use passkeys instead of traditional passwords whenever possible. A passkey is a passwordless authentication method that allows users to sign in using biometric information or a PIN. Unlike passwords, passkeys cannot be reused across multiple accounts. They are also phishing-resistant, since there’s no actual password that can be stolen or intercepted by a cybercriminal. As the adoption of passkeys grows, employees should use them to simplify login experiences and significantly reduce their organization’s susceptibility to password-based cyber attacks.
3. Store passwords in a company-approved password manager
Businesses should enforce having employees store their login credentials in a company-approved password manager. Writing passwords on sticky notes or saving them in spreadsheets increases the risk of a data leak, especially in hybrid and hot-desk offices where employees come and go and such openly displayed passwords can be easily breached. Trustworthy password managers can provide secure, encrypted storage, generate strong passwords and autofill credentials.
4. Enable Multi-Factor Authentication (MFA) wherever it’s offered
Multi-Factor Authentication (MFA) adds an extra layer of security to online accounts by requiring additional identity verification. Employees should enable MFA on all supported accounts because, even if a password is compromised, MFA can stop cybercriminals from gaining unauthorized access. While SMS-based codes are better than nothing, they are vulnerable to SIM swapping and interception, so employees should use more secure types of MFA, such as authenticator apps, hardware security keys and biometrics.
5. Don’t enter your password into links from emails or messages
Phishing attacks trick employees into entering login credentials on fake websites. Phishing emails and fake websites can look very convincing, mimicking trusted platforms like Google Workspace or Microsoft 365, with almost identical logos and branding. Employees should be cautious of any unsolicited messages that use urgent language and ask them to click a suspicious link. They should never enter a password without verifying the sender and hovering over the URL to check its true destination. If the URL doesn’t match the official website, it is most likely a phishing attempt. The best thing employees can do is go directly to the website by typing the URL into a browser or checking with their organization’s IT team. Taking a few extra steps to verify the safety of a link can prevent employees from falling victim to scams that could expose sensitive data.
6. Lock your screen and log out when you step away
Employees should always lock their screens and log out of sensitive apps or accounts before stepping away from their devices, no matter how long or short they are away. Leaving a computer unattended and unlocked is an open invitation for an insider to view or modify company information. This is especially important in areas where others may have physical access, such as open office environments, shared desks or when using “Bring Your Own Devices (BYOD)” that may not be managed by the IT department. Remote employees working from various public locations face similar risks, such as a stranger shoulder surfing or interacting with an unattended device.
7. Change your password right away if you think it’s compromised
Act quickly if there is any suspicion that an employee’s password has been compromised. Common signs of password compromise include unexpected login alerts, password reset emails the employee didn’t request or being locked out of an account without any explanation. If anything seems suspicious, employees should immediately change the password for the affected account and notify their organization’s IT security team.
8. Follow your company’s password policy
Most organizations create password policies that outline detailed guidelines for creating and managing work-related passwords. These policies may include minimum password length, complexity standards and how often passwords must be rotated. Since employees may not change their passwords periodically, organizations should enforce this change automatically on schedules. Employees must adhere to these policies to maintain consistency and reduce organizational security risks. Employees who are unsure of their current password requirements should consult their organization’s IT or security policies to ensure compliance.
Good password security is a safer business
Strong password management is one of the most important ways employees can improve their organization’s security posture. From creating strong, unique passwords to locking screens when away, small habits can make a major difference in protecting sensitive company data.
