Using only a password to access or manage systems remotely is unwise and should be seen as a “bad practice,” according to the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security. In June, the CISA decided to collect bad practices that are extremely risky and actually increase cyber risks for organizations. The first two bad practices the CISA warned about were the use of end-of-life software and the use of known/hardcoded/default passwords. As a third bad practice, the use of single-factor authentication has now been added, where only a user name and password are logged into a system. The CISA identifies the use of a password alone as particularly dangerous when used to remotely access or manage critical infrastructure systems, as it significantly increases the risk to national security, national economic security, public health and public safety. Although the critical infrastructure is specifically mentioned, the CISA calls on all organizations to address this bad practice.