Skip to main content

System Status: 

Cybersecurity Awareness

Find information on featured cybersecurity awareness topics.

World Password Day

Expert advice for shoring up your password best practices in honor of World Password Day (May 4, 2023)


Passwords (also commonly called credentials) have become one of the primary targets of cyber attackers, especially attackers with more advanced skill sets or those who are attempting to persist long-term in an organization’s environment.

TTPs (Tactics, Techniques and Procedures) is a taxonomy defining the common behaviors of cyber attackers when targeting, hacking into, and persisting within an organization’s environment. A variety of reports, data, and statistics have demonstrated a shift in how threat actor TTPs have changed from a focus on malware to a focus on passwords. Phishing used to be a means to infect a computer; now phishing and social engineering-related attacks have become the means to gain valid passwords.

The reason for this change is it is much harder for security teams to detect an intruder if that intruder is using valid credentials to pivot and traverse through an organization’s systems and data. The term is called ‘living off the land’ and implies a cyber attacker is using the same valid tools and credentials that authorized individuals use, so the cyber attacker's activities blend in and appear to be legitimate.

This is why passwords have become one of the primary targets and why stolen or compromised credentials have become one of the top risks for organizations.

4 Best Practices for Passwords We Recommend You Focus On

  1. Use Passphrases: Replace password complexity with password length whenever possible, and teach people the concept of passphrases. Both password complexity and password expiration are no longer best practices and in most cases cause more harm than good. Passphrases can be a sentence or a series of random words that create long passwords that are both easier to remember and type. Take, for example, the passphrase “honey-bricks-bored-concise”.
  2. Make Passwords Unique: It is highly important that every account (both work and personal) has a unique password for that account. This ensures that if one account is compromised, all other accounts are still secure.
  3. Use a Password Manager: Managing a long, unique password for each account is difficult, as many people can have over 100 passwords. The simpler we make a behavior, the more likely people will exhibit it.
  4. Use Multi-Factor Authentication: Whenever possible, leverage Multi-Factor Authentication (commonly called Two-Factor Authentication or Two-Step Verification) for your work and personal accounts. While multiple versions of MFA exist, Phishing-Resistant MFA is considered the strongest. Here is a simple explainer of the different types of MFA and which options are the strongest.

[This article originated from a SANS blog post by Lance Spitzner on 5/4/2023]

Learn more about UC San Diego Password Security

Additional Password Security Resources from SANS:

For more information, contact IT Services' Office of Information Assurance at

Note: this page has a friendly link that is easy to remember: