World password day: best practices to secure your access
Why are passwords a prime target?
Today, most of the applications we use require password authentication (government platforms, emails, management software, user sessions, etc.).
In an increasingly connected world, cyberattacks are multiplying, and attackers are exploiting existing security vulnerabilities — especially those linked to passwords and login credentials. Our passwords protect access to our data and activities. By stealing them, cybercriminals can pursue various objectives, such as retrieving personal information, accessing sensitive business data, or extorting money.
Attack methods vary. One of the most common — affecting both private and professional spheres — is phishing. This technique involves sending fraudulent messages prompting the victim to disclose sensitive information, such as login credentials. Often, the message contains a link to a fake site where the user is asked to enter their details (email address, bank account number, etc.), which attackers then exploit.
Other techniques, such as brute force attacks, allow cybercriminals to test a large number of combinations until they find the correct password. These attacks consist of testing, one by one, every possible combination of a password or key for a given login, in order to access the targeted service. The stronger the password, the more likely the attack will fail.
Finally, if personal data has been leaked in the past, attackers may attempt to reuse this information, hoping the credentials haven’t been changed or are reused across multiple services.
Adopt the right habits to protect your accounts
1) Use multi-factor authentication (MFA)
Multi-factor authentication is one of the most effective ways to strengthen access security. It significantly reduces the risk of password compromise, particularly against brute force attacks.
This method requires an additional verification step for the user attempting to log in.
Authentication factors may include: a password, a PIN code, an SMS or phone call, a verification app such as Microsoft Authenticator or itsme®, biometric identification, etc.
Most email services offer two-factor authentication, but it must usually be activated manually by the user.
2) Create strong passwords
A secure password should include a variety of characters: lowercase, uppercase, numbers, and special symbols.
Beyond character diversity, the password must also be sufficiently long. The CNIL (French data protection authority) [1] recommends a minimum length of 12 characters. Using passphrases is an increasingly recommended and effective alternative to strengthen security.
The level of password strength should match the sensitivity of the application. For instance, a stronger password is needed for professional email than for an online appointment system.
Avoid choosing passwords linked to your personal life (e.g. your children’s or pet’s names, birth dates, favourite song titles, etc.). An attacker with access to such information could easily guess your login credentials.
Obvious sequences like 123456, azerty, abcdef, qwerty, etc. — which top the list of most used passwords in Belgium in 2024[2]— should also be avoided.
The CNIL offers tools to help create strong passwords, including a secure password generator. Password managers also provide similar services.
3) Use unique passwords for every service
Using a different password for each account prevents a compromise from spreading to all services; only the service concerned will be vulnerable.
With a good password manager, it becomes unnecessary to memorize all your passwords. These tools store and generate secure credentials.
4) Always change default passwords
Many services provide default passwords without requiring users to change them. These default passwords should be changed immediately as they often consist of generic identifiers known to cybercriminals. Keeping them significantly increases the risk of compromise.
In a professional setting, assigning generic passwords to several users (e.g. Company2024) drastically increases the exposure to attacks.
5) Separate your professional and personal accounts
Using different passwords for personal and work accounts limits the impact in the event one gets compromised.
This way, if your personal email is hacked, the attacker cannot access your professional accounts — and vice versa.
6) Use a password manager to make your life easier
Securing accounts requires a multiplication of passwords. To avoid forgetting, it is recommended to use a secure password manager. These tools store credentials and can also generate strong passwords.
They also prevent the storage of passwords on unprotected media (memo, unprotected computer file, piece of paper, phone, messaging). It is important to never transmit or store your credentials in plain text.
Different companies offer password manager services, free or with paid options, depending on the needs of the person or organisation.
7) Change your password at the first sign of compromise
If there is any suspicion that a password has been compromised, it must be changed immediately to prevent or limit damage.
8) Limit login attempts and lock accounts after multiple failures
This technical measure allows, among other things, to counter brute force attacks by temporarily blocking access after a number of unsuccessful attempts.
9) Avoid shared accounts
Using individual accounts with unique passwords enhances security by reducing the risk of compromise. Shared accounts complicate password management, increasing the risk of unauthorized access and data leaks. By assigning a unique and robust password to each user, we limit the spread of attacks, especially in case of identity theft. The use of shared accounts exposes to increased risk of compromise and complicates access management.
10) Don’t use your passwords on shared or public computers
Public or shared devices can be infected with malware retrieving passwords. It is crucial to never register your credentials on these devices or browsers.
These good practices apply both in the private and professional sphere.
If you are an organisation, we recommend that you implement a password policy for your employees to enhance security and prevent data breaches. In addition, it is important to raise awareness of cybersecurity and related risks among all employees.
For more information on the subject, see the recommendations of ANSSI[3], cybermalveillance.gouv.fr[4], CNIL and Safeonmmweb.be[5]
[1] Commission nationale de l’informatique et des libertés (CNIL) – The French Data Protection Authority: https://www.cnil.fr/en/home
[2] https://nordpass.com/most-common-passwords-list/
[3] L’Agence nationale de la sécurité des systèmes d’information (ANSSI) – The French National Cybersecurity Agency
[4] Public French platform whose mission is to assist individuals, companies, associations, local authorities and public institutions who are victims of cybercrime, raise awareness of cyber risks, and provide information on digital threats and how to protect against them.
[5] Initiative of the Belgian Centre for Cybersecurity (CCB), aiming to provide fast and efficient cybersecurity awareness to Belgian citizens, businesses and organisations: https://safeonweb.be/en
Découvrez nos autres articles
strengthen the security of your access and raise your team’s awareness of cybersecurity
Our consultants can help you.
About us
CTI CONSULTING helps organisations use digital with impact, integrity and efficiency.
Our multidisciplinary team of consultants supports you to design, acquire, integrate and use digital tools in an effective and responsible manner.
Want to know more ?
strengthen the security of your access and raise your team’s awareness of cybersecurity
Our consultants can help you.