World Password Day advice

Passwords may be replaced with other technologies, but may still be needed for backup. Here's what IT and corporate leaders should do

Tomorrow is World Password Day, when IT and executive leaders in all organizations should remind employees to follow safe password creation practices both on the job and at home, and have a password manager to securely manage all their passwords.

Stealing usernames and password combos is one of the leading goals of hackers, who then use the credentials to break into weakly protected IT systems.

However, leaders also have to remember they have a responsibility to add technologies that eliminate the reliance on mere usernames and passwords for network access. These include the addition of phishing-resistant multifactor authentication, passkeys (which include biometrics like fingerprints or facial recognition), security keys (like YubiKey, Google Titan), single sign-on, behavioural analytics and more. In fact these technologies may be appropriate in your organization to replace passwords.

In 2025 no organization should be without at least multi-factor authentication as an extra step for employee and customer network logins in case credentials are stolen-- and ideally it should be a phishing-resistant MFA solution.

The good news: According to the latest Verizon Data Breach Investigations Report -- which analyzed thousands of security incidents over 12 months -- credential abuse by attackers as a cause of initial access is dropping. That's no reason, though, to ease off on employees on proper password creation. Passwords will be around for a long time if only as a backup.

Even if passwords are scrambled with hashes that may not be enough of a defence, especially if the employee uses a simple password. According to Hive Systems, a six character password with only lowercase letters can be cracked in 46 minutes depending on the hacker's computing resources. An eight character password with only lower case letters could be cracked in 43 minutes with the help of the AI chatbot ChatGPT4.

Before getting into what good passwords are, organizations have to create an identity and access management (IAM) policy. Not only does this include establishing what your organization decides is a safe password (for example, at least X characters; X or more for high security accounts) and must be original (that is, staff can't use a corporate password that's identical to any other password the person uses). Identity and access management also should mandate that credentials are hashed according to the latest standards and authentication rules (for example, mandatory MFA, secure login portals, data access limited to only those who need it, policies for monitoring access and rules for deleting passwords of those who change positions or leave the organization). IAM would also include technology that prevents employees from creating bad passwords by screening them through a blacklist of forbidden words (such as commonly used, easily guessed and lazy passwords like “password,” “123456,” “admin,” “qwerty”, common names, days of the week and months of the year — and variations like “Monday1,” and “Susan3.”

For more on creating an identity and access management policy see this page by the U. S. National Institute for Standards and Technology (NIST), or this guide from the U.K. National Cyber Security Centre.

Back to creating a safe password. NIST says employees should create passphrases rather than passwords, because phrases are easier to remember. A safe passphrase should NOT be something easily guessed like words from a song, a political phrase (“MakeAmericaGreatAgain”) or a book (“ItWasADarkandStormyNight.”). A safe and memorable passphrase can be, for example, a mix of a fruit, a vegetable and a mineral (“OrangeCarrotGold”), the names of three favourite athletes from different sports or words based on a person’s initials.

Hint: Tell staff to type their passphrase into a search engine like Google. If there isn’t a response its a good phrase.

Staff will complain about having to remember dozens of passwords for work and home. The solution: Give them a software password manager. One may come with your corporate anti-malware solution. Otherwise choose an enterprise-grade manager from an independent provider. Even better: Let employees use a company-provided password manager for their home devices.

As I said, passwords/passphrases will be around for a while. You can log into a laptop with a fingerprint, but what if you rush and the damn thing rejects the third try? Guess what Windows demands as a backup. So make sure employees, and where appropriate customers, create safe passphrases. They’re part of a mature cybersecurity strategy.