While cyber hygiene is becoming more recognised by individuals and businesses alike, especially with the drive by governments, financial institutions, and utility service providers to either enforce password security or multi-factor authentication (MFA), there are still gaps that can help strengthen our organisation’s security posture further.
For example, weak passwords at the workplace can pose significant security risks. According to Keeper Security’s Password Management Report, around one-third of users reuse variations of strong passwords, which leaves systems vulnerable.
While particular passwords can be deemed "strong", the practice of reusing such passwords across multiple accounts, even if slight modifications are made, can compromise the overall security posture.
We need to ensure we habitually and stringently improve our password hygiene and minimise human errors. Some password management best practices include using unique passwords, leveraging password managers and enabling Multi-Factor Authentication (MFA) methods when available.
Here are 8 tips to having a more security password security posture:
1. Use strong, unique passwords for every account
Use strong, unique passwords for every account to protect sensitive information. Reusing passwords increases the risk of a security breach. If even one account is compromised, cybercriminals can use the same login credentials across multiple systems, potentially gaining access to work emails, cloud storage or internal tools.
We should avoid simple passwords like “password123” or number sequences. Cybercriminals now use Artificial Intelligence (AI) tools and brute-force automated attacks to crack weak passwords easily. A strong password should be at least 16 characters long with a combination of uppercase and lowercase letters, numbers and symbols. For help creating strong and unique passwords, employees can rely on a password manager with a built-in password generator. These tools eliminate the need for employees to memorise or write down login credentials, reducing the risk of human error.
2. Use passkeys when available as an option
You may have noticed that many apps now request that passkeys be setup, from mail accounts to online services. This is a security feature that many tech vendors are moving to. We should use passkeys instead of traditional passwords whenever possible. A passkey is a passwordless authentication method that allows users to sign in using biometric information or a PIN.
Unlike passwords, passkeys cannot be reused across multiple accounts. They are also phishing-resistant, since there’s no actual password that can be stolen or intercepted by a cybercriminal. As the adoption of passkeys grows, we should use them to simplify login experiences and significantly reduce our organisation’s susceptibility to password-based cyberattacks.
3. Store passwords in a company-approved password manager
Businesses should enforce having employees store their login credentials in a company-approved password manager. Writing passwords on sticky notes or saving them in spreadsheets increases the risk of a data leak, especially in hybrid and hot-desk offices where employees come and go and such openly displayed passwords can be easily breached.
Trustworthy password managers can provide secure, encrypted storage, generate strong passwords and autofill credentials.
4. Enable Multi-Factor Authentication (MFA) wherever it’s offered
Multi-Factor Authentication (MFA) adds an extra layer of security to online accounts by requiring additional identity verification. We should enable MFA on all supported accounts because, even if a password is compromised, MFA can stop cybercriminals from gaining unauthorised access.
While SMS-based codes are better than nothing, they are vulnerable to SIM swapping and interception, so employees should use more secure types of MFA, such as authenticator apps, hardware security keys and biometrics.
5. Don’t enter your password into links from emails or messages
Phishing attacks trick employees into entering login credentials on fake websites. Phishing emails and fake websites can look very convincing, mimicking trusted platforms like Google
Workspace or Microsoft 365, with almost identical logos and branding. We should be cautious of any unsolicited messages that use urgent language and ask them to click a suspicious link. We should never enter a password without verifying the sender and hovering over the URL to check its true destination. If the URL doesn’t match the official website, it is most likely a phishing attempt.
My advice is to go directly to the website by typing the URL into a browser or checking with your organisation’s IT team. Taking a few extra steps to verify the safety of a link can prevent our staff from falling victim to scams that could expose sensitive data.
6. Lock your screen and log out when you step away
We should always lock their screens and log out of sensitive apps or accounts before stepping away from our devices, no matter how long or short we are away. Leaving a computer unattended and unlocked is an open invitation for an insider to view or modify company information.
This is especially important in areas where others may have physical access, such as open office environments, shared desks or when using "Bring Your Own Devices (BYOD)" that may not be managed by the IT department. Remote staff working from various public locations face similar risks, such as a stranger shoulder surfing or interacting with an unattended device.
7. Change your password right away if you think it’s compromised
Act quickly if there is any suspicion that a password has been compromised. Common signs of password compromise include unexpected login alerts, password reset emails the employee didn’t request or being locked out of an account without any explanation. If anything seems suspicious, we should immediately change the password for the affected account and notify our IT security team.
8. Follow your company’s password policy
Most organisations create password policies that outline detailed guidelines for creating and managing work-related passwords. These policies may include minimum password length, complexity standards and how often passwords must be rotated. Since many of us may not change our passwords often, as an organisation, we should enforce this change automatically on schedules.
We must adhere to these policies to maintain consistency and reduce security risks. If we are unsure of current password requirements, we should consult our organisation’s IT or security policies to ensure compliance.
Strong password management is one of the most important ways we can improve our organisation’s security posture. From creating strong, unique passwords to locking screens when away, small habits can make a major difference in protecting sensitive data from being leaked and stolen.
Takanori Nishiyama is Senior VP, APAC & Japan Country Manager, Keeper Security.
