In the world of information technology, we use passwords as a way of authentication. We can say strong passwords are the key to IT security. But if we do not properly manage these passwords it can lead to huge data breaches and vulnerabilities. Even though the passwords are properly managed, if users are not following the security best practices it can easily make them vulnerable for attacks.
For example, companies reported 5,183 data breaches in 2019  that exposed personal information like login credentials and home addresses that someone could use to defraud you or steal your identity. And since 2017, hackers published 555 million stolen passwords on the dark web that criminals can use to crack into your accounts. 
In an organization we can say a strong password policy is the front line of defense. It is the system administrator’s duty to makes sure that proper rules and policies are in place. Such as Password History policy, Minimum Password Age policy, Maximum Password Age policy, Minimum Password Length policy, Passwords Complexity Requirements policy etc. The system administrator can create an e-mail notification prior to password expiry to remind your users when it’s time to change their passwords before they actually expire.
However, it will be hard to memorize all these passwords for all the different accounts and services we are using and using the same password more than once will make the user more and more vulnerable for attacks. The best solution is to use a password management software where you can manage all your passwords.
Even if you follow all these practices attackers will still find ways to steal your passwords unless you follow these security best practices.
- Never enter your credentials after clicking on a pop-up advertisement.
- Never enter your credentials after clicking on links inside emails. Always open the browser and go to the website which you want to visit and then only enter your credentials.
- Remember that banks and responsible companies will never ask for your login credentials by email. If you’re not sure call the bank or the system admin and confirm it. For this do not use details inside the same email use a different source to get contact details.
- Use the on-screen keyboard provided by bank portals for extra security.
- Never enter your credentials in websites that does not support HTTPS.
- Never enter your credentials when you’re using public WIFI.
- Always use the least privilege account.
As an example, do not use your admin privileged account for day today activities etc.
- Do not use your password in devices that you can’t trust.
For an example don’t use a computer in a place like an internet café to login to your bank account.
Allocate a separate isolated pc to accessing services like domain admin etc.
(In an attack the attacker will be able to extract passwords from password hashes to escalate privilege from normal user to the domain admin)
Monitor suspicious logins and failed login attempts closely. This will reduce the risk of attacks like RDP brute force which is very common these days.
Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average 
These days attackers are more likely to spear phish and they are most of the time targeting domain admin accounts rather than normal user accounts.
By following these best practices and making awareness we can stay in the safe side.
Also be sure to listen to our podkast on the same topic: Podkast – Helt sikkert