Back to Kora Blog
Merchant Security Awareness

Six password good practices everyone should follow

May 28, 2024
May 28, 2024
4 min read
Cybersecurity and Risk Governance

Editor's note:

You're probably reusing dozens of similar passwords across all of your personal and business accounts. Don’t be surprised; lots of people do the same. But what is common is often not always the right thing.

Credentials are at the forefront of most cyberattacks, so it’s important to have good password hygiene to safeguard your account.

Sometimes we tend to develop habits like using a slight tweak of a main password, recycling the same passwords, and choosing easily identifiable words that are personal such as our names, pet’s name, or the name of our workplace.

Failure to carry out due diligence in creating strong passwords makes it easier for hackers to guess your login credentials and potentially take over your account or steal sensitive information.

In this post, we’ll share six tips to help you improve your password hygiene and reduce your exposure to cyber risks.

1. Try passphrases 

For years, it was common practice to use long, complex, and difficult-to-remember passwords such as bE7?EfG4KqFH8y#?GFh9!. However, using a few words strung together to form a passphrase can be a stronger and more difficult option for hackers to guess.

These passphrases are usually easier for users to remember, eliminating the need to write them down. Consider creating passphrases with a mix of uppercase, lowercase, and special characters.

2. Don’t reuse passwords

Whether you're using a password or passphrase, always use a unique one for every login account. 

While it's tempting to reuse a favourite password, it's a huge risk exposure. For example, if attackers compromise your password on a shopping site, they have your login credentials for every other site where you used that password. This is especially problematic when employees reuse passwords across personal and corporate accounts. So, make sure to educate your employees to avoid doing that.

3. Use password managers

Having a unique password or passphrase for every login means you have to manage many passwords. 

Unless you have a photographic memory, you might need a process or tool to help you remember those complex passwords and passphrases.

Writing them down on a sticky note or saving them in a file on your desktop is wrong and risky. Instead, use a password manager. 

These applications securely store all unique passwords and are capable of generating new ones when needed. Most password managers can synchronize across multiple devices, ensuring access to important passwords at all times. 

Additionally, they provide website verification features. If you accidentally click on a phishing link that leads to a malicious website instead of the authentic one, the password manager won’t automatically fill in your login credentials.

4. Review cycle frequency 

For years, it was recommended that users change their passwords every 90 days. And, for some use cases, that's still good practice. If your company uses single sign-on coupled with Multifactor authentication (MFA), 90 days may be the sweet spot. 

Organizations with passwordless authentication may determine whether annual password and passphrase changes can suffice. 

For particularly sensitive scenarios, a cycle of 30 or even 15 days might be more appropriate. The most important thing is to implement governance practices and work with the business to determine the optimal password change frequency for the organization as part of a comprehensive enterprise password policy.

5. Use Multifactor Authentication everywhere possible 

Another important tip involves implementing and enforcing two-factor authentication or multifactor authentication. Once implemented, it significantly reduces the risk of credential hijacking as attackers won't gain immediate access to the account.

Modern multifactor authentication is as simple as receiving a one-time passcode on your mobile device or auto-filling a one-time passcode from your password manager. This guarantees a safe and secure account.

6. Cultivate a culture of security awareness

Comprehensive security awareness training can go a long way toward promoting password hygiene. For example, teach all employees to take note of the following factors before logging in to an enterprise account:

  • Confirm the security status of the network connection before logging in to prevent unauthorized access or data breaches.
  • Verify login credential requests received via email, especially if they appear unsolicited, as they could be phishing attacks.
  • Exercise caution when clicking on links embedded in emails, as they may redirect to fraudulent login pages aimed at stealing your credentials.
  • Ensure the website's URL starts with HTTPS, as expected, which indicates a secure connection.


For businesses working in Africa, Kora provides All The Support You Need ™️ to start and scale with delightful payment products in pay-ins, payouts and settlements. Explore more at