Nonprofit Resources


3 Steps to Stronger Passwords

Some security professionals like to say that passwords are like underwear: change them often, don’t reuse them, don’t leave them lying on your desk, and don’t share them with others. And many security professionals often discuss the need for strong passwords. While guidance surrounding passwords has evolved over the last several years and there is more debate surrounding components of password creation, all cyber professionals understand the need for strong authentication as a part of a layered control framework.

Weak passwords remain a top cybersecurity risk, as continually highlighted by large hacks and breaches. In the 2014 Sony hack, it was discovered that thousands of passwords to the company’s systems were maintained in a digital folder labeled “Password,” and it was reported in 2017 that the Equifax breach was enabled by “admin” being used for both the username and password of an employee portal.

More recently, attackers were able to spread ransomware throughout the Colonial Pipeline Company network by gaining access to a virtual private network (VPN) account that was no longer used. The password to that account was breached, and there was no multi-factor authentication (MFA) in place to stop the attacker from gaining access.

So why does this keep happening, and what can your organization do to reduce the risk? Here are three steps to stronger passwords.


1. Understand the challenges. 

The National Institute of Standards and Technology (NIST) made headlines when it issued password guidelines that steer away from requiring complexity and frequent password changes.

NIST noted that while the previous guidelines were intended to create more secure passwords through criteria such as complexity, this has been circumvented over time by several issues:

  • The number of systems individuals access via a username and password has grown tremendously. Not too many years ago, we didn’t have passwords for travel sites, online bank accounts, health records, and more — not to mention the growing number of work-related passwords. There are just too many to commit to memory.
  • Users have difficulty remembering complex passwords, especially when they change frequently. As a result, many people use ineffective variations of common passwords (e.g., Password1!). The most common breached passwords are published annually, and it is surprising how many versions of “123456” and “password” continue to make the list.
  • Because complex passwords are hard to remember, users also store them in unsafe ways, such as in a document on their computer, on a sticky note on their desk or, even worse, in the Notes app on their unsecured cellphone.
  • Password-cracking software has become more sophisticated, and keylogger software and social engineering continue to be an effective means of compromising lengthy, complex passwords. Millions of compromised passwords are in circulation due to cyber breaches.

These factors make complex, expiring passwords far less effective, thus the revised NIST guidelines.


2. Understand the guidelines. 

Rather than solely using complex passwords that expire frequently, the NIST guidelines focus on layered security, which we have long advised. Some of the recommendations from NIST include:

  • Comparing passwords against a “blacklist” that rejects passwords:
    • Used in previous compromises,
    • Based on dictionary words,
    • Containing repetitive or sequential characters, and
    • Based on items such as user name, system name, etc.
  • No forced composition rules (like alphanumeric and special characters) or required arbitrary changes.
  • Limiting the number of password attempts before a user is locked out.
  • Multi-factor authentication (MFA), which involves an addition to the username and password, typically when a system is accessed from a different device or location. You are likely familiar with receiving a text code or using an authenticator application on your phone to access an online account.

With these criteria, simple passwords still cannot be used, and the recommended minimum number of characters is still eight for user-chosen passwords or six for randomly generated passwords or PINs. While the recommendation is not to impose composition rules, alphanumeric or special characters may still be used in an effort to create a memorable password that is not a dictionary word. Limiting the use of dictionary words definitely slows down password-cracking systems.


3. Take a layered approach. 

It’s important to note that the guidelines are extensive, and this is just a summary of one aspect of them. While it may seem that the guidelines make passwords easier for end users, there is much more to the authentication process than passwords.

There are several steps you can take to protect your organization from weak passwords. These include:

  • Layered security controls – With layered controls, if one fails, others are in place to help protect your organization. Many industry experts consider these “must-have” additions to passwords for high-risk systems.
  • Multi-factor authentication – Among security professionals, MFA has become a must-have layered control. The use of MFA for cloud-based systems is particularly critical because these systems can be accessed from any device through a browser. Thus, a compromised password, whether discovered through a dictionary attack, keylogger or other spyware, or observed on a sticky note, can be used from just about anywhere.
  • Ongoing training and communication – Make sure all network users understand why they:
    • Need to use strong passwords
    • Should not share passwords
    • Should not save passwords in an easily accessible location
    • Should not use the same password for multiple accounts

Even as cyber attacks have become increasingly sophisticated, the humble password remains a vital defense. The steps above will help you improve password security at your organization.

It’s also important to address effective application security beyond the use of strong passwords. Start by understanding the risks and then review these recommended application settings and steps to enhance your application security controls.

CapinTech offers expert cybersecurity services to help organizations assess their information security controls and identify and address any risks and vulnerabilities. More information is available at

This article has been updated.


Additional Resource:

How Weak IT Controls Can Affect Your Financial Statement Audit E-book

Allison Davis Ward

Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.

Leave a Comment