Security

Don’t make these common password mistakes

Published on 08 November 2017

Recent major cyber breaches highlight that there’s still much more to be done when it comes to educating employees about security best practices.

Take Deloitte, for example, who were hit with a cyberattack earlier this year. Their systems were compromised through a hacked administrator’s account that did not require multi-factor authentication. As a result, the hacker had unrestricted privileged access to internal files; revealing the emails, usernames, passwords and personal details of Deloitte’s large blue-chip clients.

The lesson here is simple: you can never be too careful. Robust privileged access management solutions could have prevented this breach. But security can also come from simple steps, such as setting secure passwords.

In fact, all companies should be encouraging employees to set powerful passwords. As an IT manager, you may have the know-how, but this doesn’t always trickle down to employees.

Here are some tips and tricks worth reminding others of when it comes to cyber-hygiene.

Size matters

While a password such as Secur!tTy123 may seem hard to crack for humans, it’s relatively easy for computers to eventually guess. The thing to remember is that the longer the password, the harder it is to crack. So, opt for something like a string of random phrases, such as ‘swan windmill heartbeat soccer Ryvita’ over a shorter combination of alphanumeric nonsense.

Spread out special characters

Most password fields require you to include upper and lower cases as well as numbers and symbols. This is all well and good, but most people tend to capitalize the first letter of the password and add a symbol or number at the end. Again, machines can guess this predictable behavior, making the additional special characters redundant.

Don’t force regular changes

Not too long ago, many regulators and standard organizations recommended regular password changes. But this is no longer the best course of action. Regular changes encourage risky behavior – using passwords that can be easily guessed, using predictable password strategies, or reusing the same password for multiple accounts. Instead, encourage long passwords and the use of a password manager.

Assume nothing is private

You may think you have your social media profiles on lockdown, but hackers can still find out the names of your family members or interests by digging around. Likewise, don’t save your passwords in a plain text file and assume no one will be able to find it. Pen and paper is harder to hack than a Word doc. And instead of writing your passwords down, consider writing the name of the website, your login and a clue that will jog your memory.


Of course, passwords alone won’t keep you totally protected. They should be used with multi-factor authentication and work alongside other security measures, such as privileged user access management solutions. These, combined with regular training can lower the risk of a hack and stop your organization from becoming the next Equifax.

For more advice on protecting against privileged account hacks, download this whitepaper.

by Balabit

Balabit, a One Identity business, is a leading provider of Privileged Access Management (PAM) and Log Management solutions. Founded in 2000, Balabit has a proven track record of helping businesses reduce the risk of data breaches associated with privileged accounts.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser