10 Essential Password Security Best Practices

May 2, 2022 Todd Terwillegar

If you’re in any way vigilant about online security, you undoubtedly have a different, complicated password for every protected online resource that you use. Also, because you’re vigilant, you might sometimes have trouble remembering passwords. But weak passwords won't stand up to security issues from hackers.

Passwords are a pain, but strong passwords are also a necessary means of defense against hackers who won’t stop at anything to gain access to your accounts. It’s worth the time and effort to keep hackers off-balance with smart, extremely strong passwords that (hopefully) you can still remember. 

That is why as Liquid Web celebrates World Password Day coming up on May 5th, 2022, we are sharing password security best practices, common passwords you should never use, mistakes to avoid, ways hackers gain passwords, and the one thing everyone wants to know: how to make a strong password.

10 Password Security Best Practices in 2022

Here are the top security best practices around how to make a strong password in 2022:

1. Unique Passwords for Each Account

Use different passwords for different accounts, so if one is compromised, the others are not. This will avoid attack types such as credential-stuffing attacks, where hackers use stolen credentials on other common platforms in hopes to gain entry.

2. Characters and Symbols Instead of Letters

Phrases using symbols like a smiley face ":)" instead of using the word happy, or replacing the word “to” with the number “2”. Using characters and symbols in place of letters can make your password more difficult to guess for hackers or brute force attack techniques.

3. Try Passphrases

One of the most important password security best practices to employ is to use passphrases with words that don’t normally go together instead of easily-forgettable, long-character passwords. Passwords like “puppy airplane eating banana” are more easily remembered and less likely to be hacked than “puppy running around yard.” Use at least four words as part of your passphrase.

4. At Least 12 Characters in Length

For the best password security, our best practices recommend using at least twelve characters of interchangeable lower case, upper case, symbols, and numbers within your password, regardless of if you use a passphrase or not. Password length is more important for security than using numbers, characters, or symbols alone. Password length is a leading indicator of how long it may take for a password to be cracked by a brute force attack or other hacker password-cracking algorithm.

5. Analyze Password Strength

Always check your password strength. Most sites allow for a password analyzer to communicate how strong or weak your password may be. Pay attention to the analyzer results and alter your password accordingly to make it stronger.

Interested in how to make a strong password? Nexcess offers a unique Password Generator tool that allows you to generate complicated passwords, generate passphrases, or even check the strength of your existing passwords easily and securely.

6. Change Password Quarterly

Passwords can still be guessed or cracked, given enough time. That is why you should change your password every 60-90 days on user-level accounts. This ensures hackers using social engineering, brute force, and credential-stuffing attacks cannot use your older passwords to gain access to your systems or data.

7. Enable Two-Factor Authentication

Employ Two-Factor Authentication (2FA), also known as Multi-Factor Authentication. This uses a text-based or application-based authentication method to verify your identity prior to access. Even if a hacker gains your password in some fashion, they will not be able to access your systems without access to your phone as well.

8. Use a Password Manager

And lastly, invest in a password manager. Password managers use multiple forms of encryption to ensure that your passwords are even harder to crack and allow you to only need to remember one password. Passphrases are perfect for use as your password manager master password, and then you can use extremely difficult passwords for your other user-level accounts and systems.

9. Check Your Username and Password Against Data Breach

Another password security best practice is to use a security tool such as Have I Been Pwned to check and see if your credentials were included in any recent data breaches globally. This allows you to make educated decisions about which passwords might need to be changed immediately.

10. Never Use Personal Information in a Password

Never use your first name, last name, age, birthday, phone number, address, bank account, or any other sensitive personal information as part of your password. Don’t even use your dog’s name or your favorite travel spot. Doing so makes social engineering attackers' jobs easier; most of this information is available on your Facebook account, which is public information.

There are three types of password managers: offline-based, browser-based, and application-based.

What are the Most Common Passwords?

The most commonly used and worst password in 2021 was “123456.” Other common passwords included “123456789,” “qwerty,” or even “password.” And do not think for one minute that password1 is a whole lot better.

Anyone using any of these passwords is just begging to be hacked. Hackers are everywhere, and they are constantly looking for password vulnerabilities to attack.

What Password Mistakes Should You Avoid?

To protect your passwords, here are eight common password mistakes to avoid:

  1. Consecutive keyboard combinations, for example, “zxcvb” or “qwerty.”
  2. Trending slang phrases or words spelled backward.
  3. First name, family name, or names of your spouse or kids.
  4. No personal information, like your birthday or age.
  5. Never recycle old passwords, use passwords only once.
  6. Don’t use the same password for every account you possess.
  7. Don’t let anyone watch you enter your password.
  8. Always log off of your account if you leave your computer around or are on a public network.

These are all great helpful hints to keep you away from being hacked, which can often lead to an even worse turn of events, like identity theft or data theft/loss.

What Ways Do Hackers Use to Hack or Gain Passwords?

Brute Force Attacks

Brute force attacks are when hackers try to overpower your defenses, attempting combinations of usernames and passwords with software that recombines English dictionary words with thousands of variations in an attempt to access your website.

While WordPress is the most popular CMS, and therefore the most targeted for brute force attacks, other CMS platforms, and login systems are also vulnerable to attack.

Avoid “Admin”

Avoid the default “admin” name for WordPress and other login systems. Hackers will always try using “admin.”

Also, don’t use common names or even your website name as the username. As tempting as it is to think a hacker won’t be able to spell your difficult last name, he/she can always cut and paste it from another source.

Social Engineering

Social engineering is a malicious tactic hackers use to manipulate their targets into divulging sensitive and confidential information. Social engineering can happen across many different platforms, including email, social media, and even the phone. Social engineering, when paired with spear phishing, can be extremely effective to unwary targets that are not on the lookout.

The entire point of social engineering attacks is to gain confidential information that could be used to gain access to systems, steal data, or steal your identity.

Unlimited Login Attempts

Website logins can be set to have either unlimited or a set number of login attempts. It never hurts to limit the number of login attempts you can make to access your site. Not only will this eliminate the threat of brute force attacks, but it keeps hackers from attempting to access their site through manual password entry from socially engineered attacks.

If you are using WordPress, you can download a plugin to do this for you, or even whitelist/blacklist specific IPs for access/denial of access. This way, you can be sure legitimate users can access your site while malicious hackers cannot.

How to Celebrate World Password Day

So, all of this discussion around password security best practices is great and grand you say, but how do you celebrate World Password Day? 

Start by checking your most-used account passwords:

  • Do these passwords meet minimum requirements against a password checker for strength? If not, change them now.
  • Have these passwords been included in a data breach? If so, consider the ramifications and if any other accounts are at risk.
  • Are these passwords used on other user-level accounts? Do any of these accounts have bank information tied to them or other sensitive information? If so, change all of these passwords as soon as possible.
  • Have these passwords been shared with anyone else, internally or externally? If so, change the passwords now.
  • Are you using 2FA or a password manager? If not, start by asking your IT manager if the organization has a recommended password tool. If not, Liquid Web has a list of password managers to check out. You can even use some for free.

Take the time to answer these questions and you will be well on your way to implementing password security best practices.

Take Password Security Best Practices Seriously

The above password security best practices will help you further secure your site. Granted, thorough password protection isn’t a quick task, but it’s worth the time and effort to keep hackers off their game while safeguarding your site and customer data from theft.

Secure Your Infrastructure Today With This Checklist

Download our Security Structure Checklist for SMBs
eBook - SMB Security Checklist

About the Author

Todd Terwillegar is the Digital Content Marketing Manager and Editor-in-Chief for the Liquid Web Blog, helping growing web businesses and enterprises thrive with the latest trends and technologies. Todd has been published with several global brands on the topics of marketing, SEO, and blogging, including Nexcess & Uberflip. You can follow Todd on LinkedIn.

More Content by Todd Terwillegar
Previous Article
Host-Based Intrusion Detection System: Definition, How It Works, & Threats Guide
Host-Based Intrusion Detection System: Definition, How It Works, & Threats Guide

Find out what a host-based intrusion detection system is, how HIDS work, emerging threats, and use cases fo...

Next Article
How to Implement the NIST Cybersecurity Framework Today
How to Implement the NIST Cybersecurity Framework Today

Find out what the NIST cybersecurity framework is, why you need it, and best ways to implement and use the ...

Ensure Your Website is Secure

Back to Overview