Don’t have time to read? Check out our podcast episode where we cover passwords, policies, and security: https://bit.ly/psswrdpdcst.
What do you think of when you hear the term “cybersecurity?” Do things like anti-virus, anti-malware, and firewalls come to mind? These are all critical factors in an appropriate, layered security plan. However, every organization needs another aspect of security that costs very little but can make a big difference – a password policy.
Passwords sit at the forefront of personal and professional security. We use passwords for virtually everything; bank accounts, social media, email, phones, streaming services, and a lot more. They are, essentially, keys to the virtual castle. So, how secure is your password policy?
Creating a password policy for your organization is your first defense against hackers and cybercriminals. And that’s why you need to ensure that you’re following password policy best practices. So, what exactly should you include in your password policy? Let’s take a look!
It’s tempting to create a short, memorable (often reused) password when creating a login. The problem is, easily guessable passwords, especially short ones, are prime targets for hackers. That’s because they employ bots to attempt password theft, applications that run through millions of common passwords and iterations in hopes they discover yours.
To avoid this, you need to practice some healthy password creation strategies:
- Skip the jumbled letters and numbers, and pick a relatively long (at least 14 characters) phrase.
- Make it unique but memorable to you.
- Adding caps, number, and special character are also a good idea.
Don’t Reuse Passwords
No matter your profession, reusing passwords is a horrible idea. It’s dangerous and insecure. Many of your employees already know that reusing passwords is unsafe, but they probably do it anyway.
One survey found that nearly half of information security professionals polled admitted to reusing passwords. If people whose job is information security aren’t following some of the most basic protocols for keeping information safe, your employees aren’t either.
That’s why you need to make it clear that your organization’s password policy does not allow the use of passwords more than once. Employees are much more likely to commit to using unique passwords with an explicit rule.
Don’t Overvalue Special Characters
When we create our passwords, we often overvalue complexity using special characters – this isn’t surprising. Nearly every website that requires a password gives us a set of variables that a password must meet. It must include a lowercase letter, an uppercase letter, a number, a special character, the list goes on. However, these requirements can lead to predictable patterns and encourage users to repeat or write down passwords because they are harder to remember.
Instead, we recommend creating passphrases. A passphrase is typically longer than a password, although it’s not just the length that gives a passphrase strength. Interestingly, when users only focus on length, they also end up creating predictable passwords such as “passwordpassword” or “purplepurplepurple.”
Instead, focus on creating a unique passphrase that even those closest to you wouldn’t be able to guess. This means that you shouldn’t include your or loved ones’ birthdates or names or your hobbies and interests. Try to create a completely random, unpredictable passphrase, such as “The Park Next To My House Is Green.”
This phrase may seem totally out of left field, but that’s actually what makes it a strong password. Or should we say passphrase?
As you start creating unique logins (as you should), it’s easy for them to get lost in the various websites using them. Therefore, you might think to write them down or keep your logins in a document. However, this isn’t a recommended method. Not only does it set a bad precedent (creating an accessible point of high-value info), it’s dangerous for both individuals and companies.
Use a Password Management System
Although it’s a terrible idea to use the same password across multiple sites, it’s not surprising that individuals still do it. Most people have well over a hundred digital accounts. And each one requires a username and password. With that many passwords, it’s no wonder that people aren’t memorizing hundreds of unique sets of usernames and passwords. So instead, they cheat. Either they write all of their various passwords down, or they reuse the same password across multiple sites. Even worse, they may do both. And both are extremely dangerous.
Set them up with a password manager to keep your employees from picking up either of these bad habits. A password manager will allow them to store all of their unique passwords in one place and save them for future use. Many will also help generate strong, secure passwords for your employees. There are several excellent options for password managers; we use and recommend LastPass.
Using a password manager securely stores and autogenerates passwords, so your employees won’t have to worry about remembering their passwords (which tempts them to reuse or write them down).
Here’s where things get tricky. It is, in most scenarios, not recommended to share passwords, as it doubles the risk of said login getting leaked. It also goes against advice you commonly hear, which is “never to share your password with anyone.”
Often, malicious parties attempt to take your password by simply asking for it, claiming they’re part of an administrator/management team. It’s worse if they use social engineering to pose as a friend or coworker, requesting a “lost login” for a project.
The only safe strategy here is to employ password management software, much like you would for sharing them.
There are several critical reasons for this:
- Management software encrypts passwords, meaning it’s protected when viewed by different team members.
- Software always assures all users have the up-to-date login variant; if you need to respond quickly to password changes, everyone’s on the same page.
- Some management software can track password usage behavior. Tracking allows you to identify unusual login behavior, such as multiple incorrect login attempts on a device/and or browser.
- Passwords are kept in one place versus spread out among users where they can potentially be leaked/stolen.
Implementing A Password Strategy
Even with all the methods and recommendations you’ve read about, it won’t mean much if you don’t follow good password strategies. This is especially important in a business situation.
If your enterprise needs to tighten up on login security, we recommend deploying these points inside your organization:
- Password Security Tip 1
Make sure each user utilizes complex passwords via the methods we’ve suggested. One weak login is all it takes to compromise internal security.
- Password Security Tip 2
Create a list of easy-to-follow guidelines visible to all staff members. Written password guidelines assure they’re “in the know” and have a procedure to follow.
- Password Security Tip 3
Speaking of procedures, have a backup plan in case a password is lost. In most cases, this falls under a BDR (backup and disaster recovery) umbrella, but you’ll want a unique approach for logins too. For instance, if a password is lost, the backup plan could call for an email to be sent to all staff recommending they immediately change logins.
- Password Security Tip 4
Have different logins for different platforms. Users might log in to their workstation but also need a password for a certain kind of software. Though it’s arduous, this creates additional layers of protection.
- Password Security Tip 5
Enable two-factor authentication. MFA is a healthy modern solution to password concerns, as it means a device is required along with the login.
Once you establish these guidelines, you create a strong foundation for good password habits. Not only for an enterprise but on a personal level too.
Multi-Factor Authentication (MFA)
If you aren’t using multi-factor authentication (MFA) at your organization, it’s time to jump on the bandwagon. MFA will take your password game to the next level and make your organization much more secure. Most software programs have MFA built-in, and it just gives your company an additional layer of protection.
With MFA, websites require an additional one-time authentication code sent to the user’s phone, email, or other devices. That way, even if a criminal gets their hands on your password, they will remain locked out of your account without the authenticate>ion code.
Cybersecurity is a growing concern, and there are many aspects of it to consider. Passwords are a crucial aspect of an integrated, layered approach to security, which is your best shot at keeping your organization protected. So, make your first defense strong.
In the end, passwords are only as strong as users make them. If you want to encourage strong passwords in your organization, one of the best ways is to implement a formal, written password policy. A password policy will provide guidelines and requirements for your employees to help them create strong passwords. It will also give them the tools to practice better habits with their passwords.
To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!