Best Practices for IT Password Security

Written by Sean Blanton on October 10, 2023

Share This Article

October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) organization is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.


It’s safe to say: IT has a password problem.

Gartner reports that as much as 50% of help desk calls are just password resets. Meanwhile, insecure passwords are leading to more high-profile breaches than ever before. Password protection and management is something that we’re highly in tune with here at JumpCloud, where security via our cloud directory platform is our bread and butter. And thankfully, there are some amazing tools out there today that can make password management much easier and more secure.

Password management has a few components. The first step is contextualizing the breadth and depth of the problem. Then, it’s all about implementing password protection best practices to secure your organizational resources without interfering with your employees’ user experience. In this article, we’ll walk through common password mistakes, the best practices to combat them, and how to simplify your management complexity. 

Common Password Mistakes 

Simply put, cybercriminals have evolved to be smarter about how they acquire user credentials, but our business environments have not evolved to properly defend against them. According to Specops’s 2023 Weak Passwords Report, 41% of Americans rely on memory alone to

track their passwords. And, you can’t leave it up to users to secure their own credentials. Most employees reuse passwords for work and home, and make their passwords deliberately easy to remember – which also means they’re easy to guess. 

Using Common Passwords 

Common password credentials are often the first ones bad actors attempt during brute force attacks. They’ll find these password lists on breached password dumps, and systematically enter them until one works. 

According to Cybernews, the 10 most common passwords leaked in 2023 were:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

These passwords are not only easy to guess; most of them are also very short, and have very little complexity, with no special characters. Many of them don’t even have a mix of both letters and numbers, and none of them are personalized to the user. 

Using Overly Simple Passwords 

You can’t just opt for a password that isn’t lazy and obvious. You must also add layers of complexity with a combination of long-chain letters, numbers, and special characters. It may feel like common knowledge that using over eight characters in a password was enough to deter most cybercriminals, but this isn’t always put into practice. In fact, 88% of brute force password attacks in 2023 used passwords with 12 characters or less, and nearly a quarter of those attacks used passwords with only 8 characters.  

Reusing Passwords on Multiple Applications 

Without a password manager to securely store login credentials, many users resort to reusing passwords, simply so they can remember them.  According to Google’s Online Security Survey, 52% of users reuse the same passwords for multiple accounts, and 13% use the same password for all their accounts. 

Using the same password repeatedly significantly widens the attack surface. A compromise of just one resource – even something as innocuous as a social media or retail account login – can lead to compromise of company resources, too. 

Password Management Best Practices 

Password management issues may be widespread, but that doesn’t mean your organization is destined to become the next victim of a cyber attack. Next, we’ll give you a few best practices to implement in order to better secure your users’ passwords. 

Create a Password Policy – and Enforce It.

Design a detailed password policy all employees and user identities must follow to gain access to company resources. A modern cloud directory platform like JumpCloud makes this easy by creating password requirement policies based on your specifications. Here’s some examples of what should be included in your policy. 

Length/Complexity Requirements 

  • Specify a required length: In the world of passwords, size does count. Eight characters is no longer enough, and based on Specops’ resource, 12 characters are quickly becoming too simplified as well. We recommend 18+ characters in a password. 
  • Require a range of characters: Make each password require a mix of lowercase, uppercase, numbers, and special characters. 
  • Don’t allow words: It’s a lot easier to guess a password if it includes your name, your kid’s name, your pet’s name, or a common phrase. Eliminate this risk by allowing no recognizable words in your passwords. Instead, encourage employees to create acronym strings to make passwords that are hard to crack, but easy to remember. For example, if you want to use the song lyrics, “For those about to rock, we salute you,” make it part of your password by using “ftatrwsy”. If you can add in a phrase with numbers, that could be “too good to be true” (2g2bt).
  • Don’t allow reuse: Ensure your password setting system can identify if a password has been used previously on the site, and do not allow employees to reuse these old credentials. 

Require Passwords Across Devices and Applications

Regardless of whether it’s a company laptop, an employee’s email on a personal device, an iPad, or even a BYOD cell phone, if a device is configured to connect to company resources, it must be protected with a complex password. 

Some organizations still have their heads in the sand about the breadth of password requirements. They allow BYOD without creating a policy around it or gaining control of the devices. Don’t neglect the need for passwords on networks, routers, mobile devices, and for all apps in use. You don’t want the next lost cell phone to lead to the next big breach.

Note: check out our guide to some of the best practices in BYOD.

Do Not Use the Same Password for Multiple Accounts

What happens when a CEO uses the same password for accessing a confidential business network that they use for their social media pages? Just ask the 6.5 million users who were hacked on LinkedIn. It’s “never going to happen to you”… until it does. Be smart and don’t ever mix business and personal credentials. Automatic password rotation can enforce this company-wide.

Implement Regular Password Rotation

Use a password manager to require the regular changing of passwords. Required password rotation is essential to staying one step ahead of potential hackers.

Some systems require rotation but then allow a user to just switch back and forth between two passwords. Ultimately, this subverts the goal of password rotation. JumpCloud’s platform catches this issue and allows admins to eliminate previous passwords as an option. This allows IT to set a number of previous passwords back that a user cannot use when rotating.

Require Multi-factor Authentication

Starting to get the sense that a passphrase alone isn’t enough to secure your network and resources? You’re right. In today’s day and age, even the most complex passwords aren’t foolproof. 

For the utmost in security, pair your detailed password policies with multi-factor authentication (MFA). MFA combines something a user knows (typically, the traditional username and password) with something they have (like a biometric verification, or a push notification or key sent to a private phone). When paired with a strong password, MFA makes it much, much more difficult for the wrong person to access your business resources.  

Educate Your Staff on Social Engineering and “Phishing” Attacks

Your staff is much more likely to comply with your company policies if they understand why they’re necessary. Once you’ve shared the policy, you must reinforce the rules by providing context around why it’s so important. 

Give your tema training on the most common forms of cyber attack, like social engineering and phishing. These hacking methods are cleverly disguised and require the victim to be a willing participant in undoing their security. 

The basic rule is this: whenever you follow a link that asks for login credentials (or any other personal information for that matter) you must be highly vigilant. If you’re not certain if the request for information is legitimate, then you can type the site’s known URL into your browser to make sure you’re not on a carefully disguised imposter’s site. 

Reducing Password Policy Complexity 

Are you feeling overwhelmed at this point, wondering how you’re supposed to manage so many password requirements and changes for so many users? Fear not. Our modern cloud security solutions offer lots of opportunities to automate these processes, freeing your IT admins up for more complex tasks. 

Use a Password Manager

Weak, shared, or compromised passwords play a role in most data breaches. When end users can create and store complex passwords easily, they play an active role in protecting your organization from malicious actors. Password managers allow users to create truly complex, uncrackable passwords while reducing downtime from not remembering them. It’s the perfect solution. 

Implement SSO and MFA 

Modern cloud solutions allow you to easily implement single sign-on and multi-factor authentication models to verify users prior to letting them access company resources. 

Single sign-on enables users to log in once to access all of their IT resources; they don’t have to type their username and password in over and over, or use multiple, distinct username and password pairs, to get access to everything they need to be successful at work. Today, SSO is often implemented as part of a larger identity access management (IAM) solution, such as a directory service, rather than as a separate add-on, which gives IT admins more control and visibility into what users have access to. SSO solutions that fit into this mold provide users with access to virtually all of their IT resources (networks, devices, apps, file servers, and more) through a single login.

Multi-factor authentication can also be turned on with the click of a button when using solutions like JumpCloud. You can create conditional access policies that make users use a second factor to verify their identities all of the time, or only when logging in from an untrusted device, for example. According to Microsoft, enabling MFA will stop 99.9% of cyber attacks. 

Upgrade to a Cloud Directory Platform like JumpCloud 

While password managers, SSO, and MFA can certainly all be purchased piecemeal, by far the easiest and most comprehensive solution is to centralize your IT management around a cloud directory platform like JumpCloud. JumpCloud provides a seamless single pane of glass from which to manage all user passwords and identities, and quickly batch implement the newest security policies. JumpCloud offers password management, all-application SSO, MFA capabilities – and so much more. 

If you’re ready to give a best-in-class open directory platform a try for all your IDaaS needs, JumpCloud’s your solution. Start your free trial today.

Sean Blanton

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with our Newsletter