If there’s anything harder than remembering the hundreds of passwords you have to use every day just to work, shop online, or read the news, it’s keeping those passwords safe from hackers. That’s why so many people rely on password managers: encrypted databases of all your credentials that you access using one very secure password.

Password managers are a huge step up from what too many people do: create endless variations — adding an exclamation point, swapping the letter O to the numeral 0, tacking on your anniversary date — on a single password. Yet research from Independent Security Evaluators found that all four of the top password managers have security weaknesses that put their combined 60 million users at risk.

If reusing the same password is a terrible idea, varying “yourname2019” with “y0urName-2019” and “YOURname/20-19?” isn’t a winning solution, and using a password manager isn’t quite as secure as promised, then how can you ever hope to keep your data safe? The answer is to use a variety of strategies and to stay vigilant.

Password Problems

Using a password manager is a good first step in data security. The problem with relying on them, however, is that most store data in plaintext in computer memory, enabling hackers to access passwords before they are overwritten by other processes. Because password managers are becoming more common and they store a user’s entire database of credentials, they’ll become a more frequent target in the coming years.

One key takeaway from the Independent Security Evaluators paper examining password managers is that, despite imperfections, these applications are still better than some typical alternatives. For example, an estimated that 70% of people reuse the same password for logging in to multiple accounts. This approach is the least secure, and if you use the same password enough times over the course of a year or two, I can pretty much guarantee it has already been sold on the dark web.

If you have an account with a retailer like Target that falls victim to a data breach, as 75% of retailers already have, then hackers are not only using your information to open up fake accounts or make fraudulent purchases, but they are also selling your login on the dark web for pennies. If you use the same password in your Target account as you do for banking, you could be in serious trouble.

Before you go and make a slight change to your password like adding a number or changing a letter, realize that this alteration almost certainly isn’t enough. Researchers at the Department of Computer Science at Virginia Tech created a computer program that looked at previous passwords and tried to guess what new iterations people would use. It guessed right about 50% of the time.

So by all means, use a password manager. It’s a much better solution than using the same or slightly varied password repeatedly or using an Excel spreadsheet or yellow sticky notes adhered to your computer screen. Just make sure the password manager is your first — not only — step toward protecting your business’s data.

Password Protection

Weak password handling practices lead to about 81% of data breaches, and those breaches can be devastating. On average, companies that manage to stay open end up paying $5.85 million over the two years after a breach. Take these three steps to protect your passwords and secure your data as much as possible against a breach:

1. Train your team

People reuse passwords because they don’t know better, not because they want to live dangerously. Make sure your employees know what’s at stake with their password management and teach them how to create strong passwords. Most users change a’s to 4’s and e’s to 3’s, not realizing they’re creating a password that’s hard for them to remember but easy for a machine to guess. Make sure they know how to create secure but memorable passwords.

2. Rely on password protocols

Changing passwords can be a pain, but it’s an important security measure that most companies tend to overlook. Every two or three months, employees should update their passwords in case they’ve reused a similar one elsewhere and the data has been breached. When hackers buy credentials on the dark web, they use a credential stuffing attack to try every possible location the user might have used the same login info, including their web portal at work.

3. Watch for the warning signs

Passwords can’t protect you if your employees fall victim to every phishing email to enter their inboxes. Yes, everybody would love a free $500 Amazon gift card. Teach your employees to look closely at email addresses for subtle changes or misspellings and encourage them to ask for someone else’s advice if they’re not sure whether something is a scam.

Creating and remembering passwords is difficult, and keeping them updated makes security even harder. Yet your company’s security — and prosperity — depends on strong password security. If your company’s passwords have already been compromised, creating and securing new ones is urgent. Find out with a free dark web scan: We’ll scan your domain to see whether any credentials associated with your company have been stolen.