With the uptick in high profile security breaches like the Office of Personnel Management, Target, JPMorgan and others, it is easy to become desensitized to the constant risk our cyber lives pose both personally and professionally. Information Technology departments have been rallying the battle cry about the necessity of using strong, complex passwords for decades now, to the point where discussing password best practices has become cliché. However, weak password practices continue to be one of the largest threats to both individual’s and business’ cybersecurity.

According to Verizon’s 2015 Data Breach Investigation Report, credential hacking is still the most common threat action. When you consider the number of devices, websites and systems you have a password to it is not hard to appreciate the need for good password practices. Outlined below are the Dos and Don’ts to creating and maintaining strong, complex passwords, all commonly considered best practices by security experts.


  • Create passwords that are a minimum of 10 characters long, preferably longer
  • Use mixed case, alpha numeric AND special characters (#, !, @)
  • Create a unique password for every device, website and/or system that requires authentication
  • Choose multi-factor authentication whenever possible
  • Change your passwords often, preferably every 60-90 days
  • Use a password checker like Microsoft’s 


  • Use dictionary words or sequential numbers (i.e. password or 123456)
  • Use proper names in your password
  • Choose to allow a website, system or web browser to ‘remember you, save your password, etc.’
  • Reuse your passwords
  • Write your passwords down anywhere


To create complex, unique, strong passwords that are easy to remember use a pass phrase and inject an identifier that is website or system specific.

mutatis mutandis becomes mU+@+15mU+@nd15

This is certainly a complex password. Now add the unique identifier.   If this password was to be used for an email account you might use mU+@+15emailmU+@nd15. If for a shopping website you might use mU+@+15sitenamemU+@nd15 and so on.