Passwords are the oldest and still the most common method of protecting access to systems. And one of the most frequently underestimated. Most security incidents in companies have one common denominator at their core - passwords that are too weak, reused, or stored improperly.
A good password must be difficult. And that is exactly the problem.
It is a password that cannot be easily guessed or cracked using automated tools. In practice, this means a password that is long - a minimum of 12 characters, and preferably more - containing a combination of letters, numbers and special characters, without dictionary words and without obvious combinations such as dates of birth, children's names or company names.
"Haslo123" is not a password. "Warszawa2024!" is not a password. "qwerty" and "123456" are the two most commonly used passwords in the world - and the first ones security-cracking tools try.
Automated tools used by cybercriminals can check billions of combinations per second. A simple password, even if it seems clever to you, can be cracked in seconds. A sufficiently long password made of random characters may require millions of years of computation - which in practice means it is secure.
There is also the so-called dictionary attack - instead of checking successive character combinations, tools go through lists of common passwords, dictionary words, and their simple modifications. "P@ssw0rd", "Zima2023", or "Admin1234" are on those lists. If your password sounds like something a human could come up with - it is probably already stored somewhere in attackers' databases.
Every account must have a different password. And this is where the real problem begins.
If a password must be strong - long, random, unpredictable - then how do you remember dozens of them? Because that is exactly the challenge. Every account, every service, every system should have a unique password. This is not a whim of security specialists. It is a necessity resulting from a real threat.
Imagine you use the same password for company email, the accounting system, and an online store where you bought some equipment. That online store falls victim to an attack, and data from millions of users - together with passwords - ends up in unauthorized hands. Hackers do not have to do anything else now. They automatically test the same password across dozens of other services: banks, social media platforms, company systems. This phenomenon is called credential stuffing and is one of the most common methods of account takeover.
The scale of data breaches is enormous. The Have I Been Pwned service, which tracks publicly known breaches, contains information on more than 14 billion stolen accounts. Statistically, your email address has probably already appeared in at least one breach - even if you do not know it.
A unique password for every service ensures that a breach in one place doesn't open the door to all the others. This is a fundamental principle of security hygiene.
Remembering dozens of strong passwords is not possible. And that is not the point.
The average user today has access to dozens of different services and systems. A company employee - to corporate email, the ERP system, CRM, a project management platform, communication tools, various portals, and external applications. Each of these should have a different, strong password.
No one will remember all of that. And no one should try - because trying to remember leads to simplifications, and simplifications lead to weak passwords or using the same password everywhere, which is exactly what we want to avoid.
Saving passwords - where and how. In other words, how not to do it wrong.
If they cannot be remembered, they need to be written down somewhere. And here another problem appears - most methods people instinctively reach for are catastrophically insecure.
A sticky note attached to the monitor? A classic. Anyone who walks into the office can see passwords to company systems. One phone photo is enough.
A text file on the desktop named "hasla.txt"? A popular choice that makes all passwords available to anyone who gains access to the computer - remotely or physically. If the computer gets infected with malware, such a file is one of the first targets.
An Excel spreadsheet with passwords? Slightly safer if it is encrypted, but most people do not encrypt such files. And even an encrypted Excel spreadsheet is not a solution for a company.
A web browser? Saving passwords in a browser is convenient and to some extent acceptable for private accounts - but in a corporate environment it carries risk. Passwords saved in a browser can be relatively easily exported by malware, and synchronization through a Google or Microsoft account means corporate passwords end up in employees' private accounts.
Memory? As we already established - with dozens of strong, unique passwords, memory alone is simply not enough.
So what should you do?
There is one consistent solution to all these problems - a password manager. A tool that stores all passwords in an encrypted database, generates strong and unique passwords for every service, and requires remembering only one - the primary access password. It is a solution that eliminates all the problems described above at the same time.
What it looks like at Helpwise
Password management is one of the first areas we review when taking a new company under our care. Very often we encounter environments where passwords for key systems are simple, repeated across multiple places, or stored in a way that provides no real protection.
Implementing a proper password policy and a corporate password manager is one of the fundamental steps that significantly increases the level of IT security - often without major financial investment, but with a real and immediate effect.