blue background

Require Strong Passwords in Government

Protect your organization by requiring your team to use strong passwords and a password manager. 

Strong Passwords Mean More Secure Accounts  


State, local, tribal and territorial (SLTT) governments are frequent targets for cybercriminals—and weak or stolen passwords are one of the easiest ways these criminals can get into government accounts and systems.  

Many people still use weak passwords to protect important information. According to the National Cybersecurity Alliance's (NCA) annual Oh, Behave! survey, 35% of people still use personal details—like pet names or family members—in their passwords, with Gen Z (52%) and Millennials (45%) leading the risky trend. With the trend in Bring Your Own Device (BYOD) programs in the workplace, risky passwords may offer threat actors a way into SLTT systems. 

For SLTTs managing critical infrastructure, a compromised password can have far-reaching consequences. These sectors are high-value targets for both criminal and nation-state actors seeking to disrupt essential services or access sensitive citizen data. A single compromised login could lead to operational outages or data exposure affecting entire communities. 

In one case documented by CISA, a former employee’s admin credentials were used to access a state government’s VPN and internal systems. The credentials had been exposed in a previous breach and were never deactivated. 

The good news? You can significantly reduce your risk by requiring your employees to use strong passwords and a password manager.  

Set an example by using long, random, unique passwords on all your accounts and store them in a password manager. Work with your IT team or provider to require employees to take these actions to access government systems. Encourage your constituents, contractors and vendors to strengthen their passwords too, especially when interacting with your systems. 


Make Strong Passwords Part of Your Cybersecurity Culture 

From court records to 911 dispatch systems, SLTT government networks hold sensitive data and power essential services. Requiring strong passwords—and enabling phishing-resistant multifactor authentication (MFA)—is one of the simplest and most effective ways to keep cyber attackers out of your systems. 

Build a culture of cybersecurity by making strong passwords standard practice. 

  1. Require strong, unique passwords.  

    Protect your organization by enforcing policies that require strong passwords.Strong passwords are: 

    • Long: At least 16 characters long (more is better)
    • Random: A mix of upper and lowercase letters, numbers, and symbols or a passphrase of 5–7 unrelated words
    • Unique: Each password used for only one account 

    Strong passwords are especially important for administrators, department heads and those with access to citizen data or infrastructure systems. 

    Many systems let you set password rules to enforce these standards. Speak with your IT department or security manager to set secure password requirements. Regularly follow trends to update password policies where needed.  

    Pair strong passwords with multifactor authentication (MFA), also known as two-factor authentication (2FA). MFA—especially the phishing-resistant forms that use an app or hardware token—adds a critical layer of security even if a password is stolen. MFA is now required by many federal grants and cybersecurity mandates. Start with administrator and remote access accounts, then expand to all users. 
     

  2. Provide a password manager.  

    An organization-wide password manager makes it easier for employees to follow best practices. It: 

    • Generates complex passwords
    • Fills them in automatically
    • Stores them securely 

    Employees only need to remember one strong master password for the password manager itself. This helps prevent password reuse, weak passwords and accidental breaches.  

    As your organization matures, consider moving to an identity and access manager (IAM) with single sign-on (SSO), which lets users securely access multiple systems with one set of credentials. 
     

  3. Change default passwords. 

    Many hardware and software products come “out of the box” with default usernames and passwords that are widely known and easily exploited. These default passwords may even be printed on the device or listed online. Require staff to change default credentials before using systems. 
     

  4. Set password management policies. 

    Ensure your IT policies include: 

    • Scheduled password updates for privileged accounts
    • Immediate disabling of default or unused accounts
    • Logging and monitoring of failed login attempts
    • Regular training on password-related scenarios (such as credential harvesting and MFA fatigue attacks) and phishing simulations  

    Align your password policies with frameworks like the National Institute for Standards and Technology’s Guidelines for Digital Identity (SP 800-63) and any applicable state or federal compliance standards. 
     

printer icon with cybersecurity essentials fact sheet

Printable Tips

Get the Four Cybersecurity Essentials for SLTTs in one handy, printable summary. 

 

GET IT NOW

Learn More About MFA & Password Managers

woman smiling at her desk holding a phone

Require MFA in Government

Use more than a password to secure accounts. MFA adds a strong second layer of defense. 

woman on her laptop at work

Use a Password Manager

Learn how password managers enhance security and reduce the burden of remembering complex passwords. 

resource document icon for State, Local, Tribal and Territorial government resources

State, Local, Tribal & Territorial Resources

No-cost information, resources and tools from CISA to help you defend against cyber threats. 

Protect Government Services with Phishing Training

Require MFA in Government

Update Government Software

Secure U.S. State, Local, Tribal & Territorial Government

State, Local, Tribal & Territorial Government Resources

Cybersecurity Awareness Month