The importance of password hygiene cannot be underestimated — it’s a fundamental small business cybersecurity practice that protects from data breaches and unauthorized access.

Passwords continue to be the frontline defense for digital access but often become the weakest link in a company’s cybersecurity, experts say. 

Poor password hygiene, such as weak passwords, can give attackers access into your business, leading to data theft, lateral movement and long-term damage.

“The emphasis on password security stems from the fact that 88 percent of organizations rely on passwords as their primary authentication method to safeguard their systems,” explains an article by Security Magazine.

 “Yet when you observe the headlines around the latest major data breach, many trace back to human factors or errors, such as the hack of stolen or compromised login credentials like usernames and passwords.”

Here are 3 key best practices when it comes to strong password hygiene as shared by industry specialists in business cybersecurity.

Create Long Passwords

The most important part of a strong password is its length, according to guidelines issued by the National Institute of Standards and Technology (NIST).

“Every additional character dramatically increases the number of guesses an attacker would need to try,” explains the institute, which is part of the U.S. Department of Commerce.

For example, an eight-character password would take about 200 billion guesses. “That’s way too many for a human to guess but not a laptop, which can comfortably make 100 billion guesses per second,” the NIST says. “So eight characters is not very secure at all.”

Instead, the NIST recommends a password should be at least 15 characters long. “At 100 billion guesses per second, it would take a computer more than five hundred years to guess all the possible combinations of 15 lowercase letters.”

Make Passwords Unique

Creating unique passwords is also important to good password hygiene at your small business.

For example, cybersecurity and IT specialists advise against using names in your passwords -- not of pets, friends, family or famous people.

“While it might be tempting to create passwords modeled off the names of loved ones, pets, or celebrity figures, passwords including names are considerably easier to be compromised,” says  Tech.co senior writer Isobel O’Sullivan in an article on the site.

Also, avoid a common pitfall of thinking a simple password is being clever or unique — it’s neither, and opens the door to cyberattacks at your business. 

“In general, people are bad at choosing unique passwords,” says Ryan Galluzzo, who leads NIST’s Digital Identity Program. 

“The worst passwords I can think of are ‘password’ or ‘12345’” he says. Those are at the top of an attacker’s list for potential attacks, and are also two of the most common passwords, according to the NIST article.

Add MFA for Stronger Password Security 

Enabling multi-factor authentication (MFA) is advised as an additional security for password security, adding a layer of protection against cyber-attacks at a business.

However, since many systems rely on passwords, ensuring strong password policies remains crucial for maintaining overall security, says Darren James, a senior product manager at Specops Software in a Security Magazine post.

“In the case of MFA, typically passwords are required to initiate the MFA process. Making passwords harder to guess reduces the risk of a hacker successfully getting to the point of needing to bypass MFA.”

Also, he says, MFA is not infallible, and should not be relied upon to keep an account secure, further emphasizing the critical importance of password hygiene at your business.

“Good passwords make it harder to access an account in the first place,” James adds.