Password Hygiene: A Simple Guide for Developers
Good password hygiene protects your accounts from attackers. This term means the daily habits that keep your passwords safe. Strong password hygiene rests on three main practices. First, use long and unique passwords for every account. Second, store them in a password manager, not in a text file. Third, change passwords whenever they might be compromised.
Poor password hygiene has caused many credential leaks. For example, in the CISA GitHub data leak, the exposed files contained dozens of plaintext passwords. Many followed simple patterns like [platform name][current year]. Consequently, attackers could guess those patterns with no trouble. For the full story, see our CISA GitHub data leak pillar post.
How Weak Passwords Made the CISA Leak Worse
The CISA GitHub data leak included a file named AWS-Workspace-Firefox-Passwords.csv. This file listed usernames and passwords for many internal CISA systems. Security researchers noticed a troubling pattern. Specifically, most of the passwords were very weak and easy to guess.
Here are some examples of the weak patterns they found:
| Pattern Type | Example | How Easy to Guess |
|---|---|---|
| Service plus current year | cisa-platform-2026 | Very easy |
| Generic admin pattern | govcloud-admin-2025 | Very easy |
| Service name plus simple word | artifactory-read-only-2026 | Easy |
| Default credentials | admin:admin | Trivial |
Those passwords should never have been stored in plaintext. However, the bigger problem was their weakness. Attackers who found the file could have used them right away. For a deeper look at how the leak happened, see our shadow sync developer risk guide.
Common Password Mistakes That Ruin Password Hygiene
Developers often repeat the same password errors. Below are the most frequent ones. Avoiding them is essential for good password hygiene.
Mistake 1 – Reusing passwords across many accounts
Using the same password for GitHub, AWS, and internal tools is very risky. If one account gets hacked, all accounts become vulnerable.
Mistake 2 – Using simple patterns
Passwords like Company2026 or Winter2026 are too easy to guess. Attackers have large dictionaries of common patterns.
Mistake 3 – Saving passwords in plaintext files
Storing passwords in CSV files, text files, or spreadsheets is extremely dangerous. Anyone who finds the file can read them all.
Mistake 4 – Skipping multi‑factor authentication (MFA)
Even a strong password can be stolen. Without MFA, the attacker gets full access.
Mistake 5 – Never changing passwords
Old passwords may leak in data breaches. If you never change them, they stay vulnerable forever.
The CISA leak included all these mistakes. The contractor saved plaintext passwords in a CSV file. Moreover, many of those passwords followed simple patterns. For a guide to preventing credential leaks, see our GitHub secret scanning guide.
Why Weak Passwords Cause Big Problems
Weak passwords create several serious risks. Here is what can happen.
| Risk | Consequence |
|---|---|
| Account takeover | Attackers log in as you and access sensitive data. |
| Privilege escalation | They use your access to reach more valuable systems. |
| Data breach | Customer or internal data gets stolen. |
| Reputation damage | Your organization loses trust. |
| Legal liability | Fines and lawsuits from regulators. |
In the CISA leak, the exposed passwords could have given attackers access to internal development tools, Artifactory, and AWS GovCloud. That would have been a disaster. Luckily, no one used them. For more on the Artifactory risks, see our Artifactory supply chain security guide.
How Attackers Crack Weak Passwords
Attackers have many ways to break or steal weak passwords. The most common methods are listed below.
- Brute force attacks – Here, attackers try every possible combination. Short passwords (under 8 characters) can crack in minutes.
- Dictionary attacks – With this method, they use lists of common words, names, and patterns. As a result, passwords like
Summer2026fall quickly. - Credential stuffing – In this scenario, they take passwords stolen from other breaches and try them on different services. This works when you reuse passwords.
- Phishing – For this technique, they trick you into typing your password on a fake login page. Even strong passwords are vulnerable to phishing.
- Scraping public repos – Finally, attackers scan GitHub for files containing passwords. The CISA leak was found this way.
Good password hygiene stops all these methods. Strong and unique passwords resist brute force and dictionary attacks. Meanwhile, password managers help you avoid reuse. Finally, MFA stops phishing. For a guide to stopping shadow sync, see our shadow sync developer risk guide.
Seven Easy Steps to Improve Your Password Hygiene
Follow these seven recommendations. Each one directly improves your password hygiene.
First, use a password manager.
A password manager (like 1Password, Bitwarden, or KeePass) stores all your passwords safely. You only need to remember one master password. The manager creates long, random passwords for every account.
Next, create strong, random passwords.
Good passwords are long (at least 16 characters). They use uppercase, lowercase, numbers, and symbols. For example: 8xT$mK2pQ9vL#wR5. Do not use dictionary words.
Then, never reuse passwords.
Every account needs a unique password. Password managers make this easy.
Always turn on MFA everywhere.
Use phishing‑resistant MFA like hardware keys (YubiKey) or passkeys. Avoid SMS or TOTP when possible.
Change passwords regularly.
For high‑risk accounts, change passwords every 90 days. Rotate them right away after any suspected breach.
Avoid storing passwords in plaintext files.
No CSV, no text files, no spreadsheets. Use a password manager or a secrets manager (like AWS Secrets Manager).
Finally, audit your passwords often.
Use tools to check for weak, reused, or exposed passwords. Many password managers include this feature.
For a guide to protecting cloud credentials, see our AWS GovCloud explained guide.
What to Do If Your Password Gets Exposed
If you learn that a password has leaked, act fast. Follow these steps in order.
Immediately change the compromised password.
Do not wait. Create a new, strong password using your password manager.
Next, look for unauthorized access.
Review account logs for suspicious activity. Check for logins from unknown places or devices.
Then, update any other accounts that used the same password.
If you reused the password, change it everywhere. This is also a good time to stop reusing passwords.
Also, turn on MFA if you have not already.
Add an extra layer of security to prevent future compromises.
After that, tell your security team.
They may need to investigate further or rotate other credentials.
Finally, learn from what happened.
Figure out how the password was exposed. Was it in a public repo? A phishing email? A shared document? Then fix the root cause.
Frequently Asked Questions About Password Hygiene
To help you apply good password hygiene, here are answers to common questions.
How long should a password be?
At least 16 characters. Longer is better. A 20‑character random password is very hard to crack. This is a core part of password hygiene.
Is a password manager safe?
Yes, if you use a good one. Keep your master password very strong. Additionally, turn on MFA for the password manager account.
What is the difference between a password manager and a secrets manager?
Password managers store credentials for people to use. Meanwhile, secrets managers (like AWS Secrets Manager) store API keys and tokens for apps.
Why did the CISA leak have plaintext passwords?
The contractor saved them in a CSV file for convenience. Instead, he should have practiced better password hygiene using a password manager.
How can I check if my password has been exposed?
Many password managers have a built‑in breach checker. You can also use online services, but be careful with external sites.
Does MFA replace strong passwords?
No. Use both. Strong passwords stop offline cracking. At the same time, MFA stops stolen passwords from being used.
Summary
Password hygiene is not complicated, but it requires consistency. Use a password manager, create long random passwords, never reuse them, turn on MFA, and audit regularly. These habits would have prevented the CISA GitHub data leak from being dangerous. Start today.