Password management and best practices

As the ways to compromise an account become more numerous and sophisticated, it's more important than ever to manage password security and protect your business properly. This article examines common password attack types and best practices to combat them.


  • Applies to: Administrator and User

For more information about prerequisite terminology, see Cloud Office support terminology.

Common password attack types

The following things are common methods used by attackers trying to compromise your accounts.


Phishing is the act of impersonating a legitimate entity to obtain sensitive information from users like usernames, passwords, and credit card numbers. In email, phishing scams commonly use a method of email impersonation called spoofing. A successful phishing attack is particularly damaging because you have volunteered your current credentials to the scammer.

Use the following guidelines to protect your passwords from phishing attempts:

  • Never give sensitive information without verifying that the request is from a legitimate entity.

  • Never use the same password for different sites and accounts. Employing this policy helps contain the damage if you are the victim of phishing.

  • Immediately change your password if you suspect you are the victim of a phishing attack.

  • Tell company employees to remain vigilant and remind them of verification practices.


Malware is malicious software that collects information from you without your knowledge. Malware captures passwords through keystroke logging.

Use the following guidelines to avoid exposing your systems to malware:

  • Regularly install security updates for your operating systems, internet browsers, and any other software you use.

  • Be cautious of any email that includes a link or attachment, regardless of who appears to be the sender.

  • Install an antivirus program.

Dictionary attack

Hackers try a list of passwords against a username in hopes that the user has used an easy-to-guess password.

Prevent hackers from guessing your passwords by creating a unique password. Using a common password makes you a prime target for this attack. See Password best practices for guidance.

Password reset protocol attack

Password reset protocols are typically based on alternate contact information like phone numbers or email addresses. If a hacker has the information to reset your password, they don't need your current password.

Use the following guideline to prevent hackers from guessing your passwords:

  • Keep contact information current so that hackers can't use outdated information to impersonate you.

  • When you set up security questions and answers, select a question that an attacker researching your online social media accounts can't learn. For example, "What University did I graduate from?" is a bad security question. An attacker can likely find this information on your public Facebook or LinkedIn profile.

Password best practices

Meeting password requirements doesn't create a password robust enough to stop someone determined to access your account. While password requirements help prevent the most egregious of weak passwords, they don't make a password unbreakable.

Use the following guidelines to protect your accounts and create strong passwords:

  1. User education.

    A compromise typically starts with one user and quickly spreads through a whole company. Ensure that your users are taking precautions and know password best practices.

  2. Avoid patterns.

    Patterns are the key to a hacker's success. People are predictable and therefore make predictable passwords.

    • Do you repeat words or characters in your password to meet the character length requirement? fourfour44!! or PasswordPassword might satisfy a password length requirement but is easily predicted by a program trying to access your most valuable information.

    • Are you reusing passwords for many sites, applications, or accounts? If your social media account is compromised, a hacker is going to try to access your other accounts. Reusing passwords ensures that they succeed.

    • Is your password construction similar every time you change it?

      • Examine the password example Predictable2017. The first letter is capitalized and the password ends in a number. Many people construct their passwords this way, which is why malicious hacking programs always check for it.
      • You might think you can throw off the hacker with some character substitutions like Pr3dictab132017. This tactic is also a predictable pattern that many people use in passwords.
    • Changing aspects of your password isn't really changing your password. It's only a good idea to implement a password change schedule if you truly create a new unique password each time.

  3. Password strength.

    Character requirements and password length are only useful if you avoid patterns and are vigilant against attacks like phishing, malware, and proof attacks.

    Use the following guidelines to create a strong password:

    • Avoiding patterns is your primary goal when you create a password. The more unique you can make the password, the better.

    • Don't include public or personal information about yourself or those close to you in the password, including:

      • Birthdays
      • Pet names
      • Anniversaries
      • Company names, founding dates, and addresses
    • Try using a memorable phrase. For example: oneDayWew!llAllH4vEhoV6r:Cars. In this example, instead of substituting letters for similar-looking numbers, substitute random numbers. Instead of capitalizing the first character, leave it lower case. Instead of ending the password with a number, end with a word.